This article started off as an extended conversation between me and a close colleague about a report. But it was not just any report – it was a report from US-CERT no less and the conversation quickly turned into one of my classic, assertive and insightful analyses – some may call it a “rant” – of shameful Cyber Security failures.
What is odd to me, is the purely negative data was not embraced by vendors nor the InfoSec press and the report had little fan fair associated with it. I was always under the impression that “bad news” sold but perhaps it’s six pages of raw brutality were more than anyone wants to hear.
The Report is here. I have a problem with it and if you’re in our cyber security industry you should too.
Have a good read through it – I’ll wait for you to finish. One way to look at this report is a “State of the Blue Team” and the state is ugly. Another way to look at the data is It’s a call to action and it’s by far the worst “state of the industry” report I have seen.
It also happens to contain a list of the most likely reason organizations continues to get rolled by cybercriminal malware in increasing numbers. So, what about this report has me so frothing at the mouth angry? Two things really. “Top 10 Most Exploited Vulnerabilities 2016–2019.”
CVE-2012-0158 & CVE-2015-1641. It’s amazing to me that at the top – the top being the operative word here – most exploited vulnerabilities we have one vulnerability that is eight years old and one that is five years old. This tells us so much about the “global vulnerability picture” and it feels like – at least when it comes to Microsoft Office – we have made minimal progress. What is wrong with organizations which can’t seem to patch in an eight or five-year cycle?
I think it’s time to have a shout-y conversation because we need to start understanding where the line between vulnerability management incompetence turns into vulnerability management and by proxy organizational negligence? I think it’s somewhere between eight and five years. There is more data here and it also brings to light two more uncomfortable truths.
One, all of the “Top Most Exploited” have patches available and two, If you patched yearly you would have mitigated all of them. That’s right. A yearly patch cycle and you have a 0% chance of being pwnd by anything coming at you exploiting the “Top Most Exploited” but apparently that seems to be too much to ask.
Data is how we are supposed to making decisions. Everyone wants to measure everything but then why the hell do we ignore data on vulnerabilities from 2012 & 2015 that are taking down organizations – Is it cognitive dissonance, burn out, misplaced faith in anti-virus software, or what?
Simply put we got a US-CERT report card on vulnerability management and the team could be doing a lot better job.
We keep hearing “we need better tools and/or data to fight cybercrime” but when a report comes out from an authoritative source and it tells us *exactly what we should do* it seems to get 0.0 percent coverage.
I think it’s fair to say that the issue of vulnerabilities in organizations exploitable by malware targeting CVE’s from 2012 and 2015 may not rest only on the shoulders of the IT security or IT Department – my guess is there is a stack of legacy tech or historical – and tragic – lack of life cycle management happening. That’s OK. Here is a cyber anger management plan – get permission from your organization to do this first.
- Download OPEN VAS here.
- Scan your infrastructure
- Prioritize your patching, updating and life cycle management program to get rid of the most vulnerable items
- Make sure you have solid backups
- Test some of the patches to make sure it does not disrupt the functionality
- Roll them out.
Here is the secret for those of you looking to get into the profession and find yourself in an interview. This is your plan to make the organization secure – and far less embarrassed if it gets pwnd – hopefully not from a five-year-old (or worse) vulnerability.
Be armed with a plan to enumerate the organization for these “Top Most Exploited“, with a plan to test the patches and then deploy those patches for the vulnerabilities – that would be pretty impressive. And apparently, you would also be ahead of many of the folks already working in the cyber security profession.
Take this advice as a career guide to success and make a commitment to make, what US-CERT feels is a really terrible state of affairs a lot better for your organization.