The U.S. Cybersecurity and Infrastructure Security Agency (CISA) over the last few months has for better or worse has emerged as the de facto arbiter of which vulnerability remediation efforts organizations should prioritize.
Most recently, CISA ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch Windows systems that have a vulnerability known as CVE-2022-21882 that enables cybercriminals to gain system privileges by Feb. 18th.
CISA is also strongly urging all private and public sector organizations to reduce their exposure to ongoing cyberattacks by both adopting this directive and prioritizing mitigation of vulnerabilities listed in its catalog of actively exploited security flaws.
Most cyberattacks involved some known vulnerability that wasn’t patched. Organizations largely don’t patch systems either because they're not able to track and prioritize what patches to apply, end users are too apathetic to update their applications or systems. or they are concerned a patch will break an application because of a dependency on a component that needs to be updated.
Cybercriminals are, of course, all too aware of these foibles. For all the concern over zero-day vulnerabilities as of late, the number of known vulnerabilities that can be easily exploited is tremendous. Cybercriminals are not in any rush to exploit a zero-day vulnerability before it’s patched. There is no shortage of low-hanging attack vectors that can be more easily exploited. The CISA catalog at the very least provides a baseline concerning which vulnerabilities should be prioritized based on how lethal they really might be. In that regard, the CISA catalog is a noble endeavor in terms of putting tax dollars to work on behalf of the nation.
Of course, there’s no shortage of sources for cyber intelligence. The issue has always been distinguishing between alerts and what is truly actionable intelligence. Many IT teams are inundated with alerts to the point where they have become inured to those alerts. Many of the breaches that are later discovered actually involved an issue the IT team was alerted to previously. It’s just the signal got lost in all the alert noise.
Cybercriminals are obviously counting on the fact that IT teams are simply too overwhelmed to address every known vulnerability in IT environments that become more extended with each passing day. The number of potential attack surfaces that need to be regularly patched as in many cases simply become too great. Add in all the unmanaged platforms that might have either unknowingly been attached to corporate networks or simply forgotten and it becomes clear just how challenging it really is to keep every platform updated.
Nevertheless, the battle must be waged. Doing next to nothing simply because the task is gargantuan will lead to certain disaster. Every IT organization is obligated to make a best effort. The CISA guidance not only provides a good place from which to start it also provides something of a benchmark. In an ideal world, most organizations would have already identified the critical vulnerabilities that need to be addressed before any government entity got around to issuing a notification. A benchmark IT teams should consider tracking is how often they have remediated a critical vulnerability before CISA issued a notification.
Like most benchmarks, the purpose should be to provide IT teams with a goal. There’s no need to set up performance reviews based on a benchmark. Most IT leaders know how good their teams may or may not be without necessarily having to track benchmarks. However, a company should be able to regularly outperform a large bureaucratic government agency. That’s not to say there are not plenty of talented IT personnel working for government agencies. It’s just that given all the legacy platforms and internal processes they need to navigate, the odds that applications and systems are current will always be stacked against them.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.