If you had a list of the Top 30 vulnerabilities routinely exploited by Cyber Criminals in 2020 and 2021, would you want to resolve them?
Cyber security breach mitigation is often as simple as knowing what you have, knowing what is at risk, and doing the right thing to eliminate risk through continuous vulnerability and patch management practices. Unfortunately, in nearly all breaches and intrusions Keller Schroeder assists with, as well as those throughout the industry, the root cause is typically due to the result of a successful exploitation of a known vulnerability or other routine infrastructure hardening requirements not being implemented.
Anyone who has spent time with me long enough has likely heard me say the phrase, ‘You don’t know what you don’t know, until you know’. I often utilize this phrase when I am referring to the importance of continuous vulnerability and patch management. Although you may have the best IT team in the world managing your environment, it is difficult to defend against what you don’t identify. By having a proven method of always knowing, at a moments notice, what your current risk and vulnerability posture is, you are better prepared to know when to rapidly respond and when to when to relax.
Wouldn’t it be fantastic if a list of known vulnerabilities existed to help you resolve them before your systems are compromised? Luckily, in late July 2021, a Joint Cybersecurity Advisory was coauthored by the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the US Federal Bureau of Investigation (FBI). The advisory provides specific details on the top 30 vulnerabilities routinely exploited by malicious cybercriminals in 2020 and into 2021 to help technology teams and organizations across the globe mitigate their risk. You can view this advisory at: https://us-cert.cisa.gov/ncas/alerts/aa21-209a
Four of the heaviest targeted exposures targeted remote workers, VPNs, or cloud-based technologies. Many victims in 2020 and 2021 could have avoided being a statistic, had they implemented a strong continuous vulnerability and patch management program that would have not only identified these issues earlier, but could have provided the valuable time to mitigate them before they were exploited. The topmost exploited vulnerabilities in 2020 are detailed in the table below. If any of these vulnerabilities exist in your environment, your chances of being compromised are much higher than those who do not have these exposures.
|Citrix||CVE-2019-19781||Arbitrary Code Execution|
|Pulse||CVE 2019-11510||Arbitrary File Reading|
|Fortinet||CVE 2018-13379||Path Traversal|
|F5 – Big IP||CVE 2020-5902||Remote Code Execution (RCE)|
|MobileIron||CVE 2020-15505||Remote Code Execution (RCE)|
|Microsoft||CVE-2017-11882||Remote Code Execution (RCE)|
|Atlassian||CVE-2019-11580||Remote Code Execution (RCE)|
|Drupal||CVE-2018-7600||Remote Code Execution (RCE)|
|Telerik||CVE 2019-18935||Remote Code Execution (RCE)|
|Microsoft||CVE-2019-0604||Remote Code Execution (RCE)|
|Microsoft||CVE-2020-0787||Elevation of Privilege|
|Netlogon||CVE-2020-1472||Elevation of Privilege|
Being in Information Technology since the 80’s and having spent most of that time immersed in the Information Security realm, I have noticed a few commonalities with security incidents and breaches. Even though technology continues to evolve, the general successful criminal activity tends to exploit the same core insufficiencies around security awareness, system hardening, vulnerability and patch management, and password management.
A few questions to think about…
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cyber security topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
Brad Mathis, CISSP
Senior Consultant, Information Security