Once each year closes it can be nice to take a step back and at the end of 2020, as if a viral pandemic wasn’t bad enough, we had to deal with digital weaknesses that left us open to more human attacks against our digital infrastructure.
One of the things I’d like to point out about vulnerability is that the vulnerabilities reported for a current year may or may not be the ones that the the most frequent top attacks are actually using to actively exploit targets for that year.
The grand majority of top vulnerabilities reported by the US Cybersecurity & Infrastructure Agency that were used by attackers for exploit in 20202 were not reported in 2020 but earlier. Which proves that the longer organizations take to patch, the longer the vulnerability will be useful to attackers thereby increasing the general global attack surface.
The vulnerabilities disclosed by year is looking like a Bull Market. Something tells me there won't be any crash in this trajectory line.
CVE stands for Common Vulnerabilities and Exposures. CVE numbers are assigned by a CVE Numbering Authority (CNA) - MITRE is the primary CNA now. The names of each vulnerability follow a naming convention of CVE-[Year Reported]-[Arbitrary Digits].
The vulnerabilities that I cover in my video CVE Rogues Gallery [2020 Edition] - Vulnerabilities and Exposures can be seen here:
Based on government data reported by the US Cybersecurity Infrastructure Security Agency, (CISA), in their exciting and newly revised Alert (AA21-209A) (as of August 2021), the majority of top vulnerabilities that were identified as used by attackers for exploit in 2020 were not reported in 2020 but earlier.
In 2020, more than 66 percent of the top CVEs used were reported in previous years. Only about 33% of the top CVEs targeted for attack that fell onto this list were actually reported in 2020. Patching quickly and remediating ahead of the curve is still extremely important. Attackers can easily discover your weak spots. And the point is, those threat actors don’t care when the CVEs were published or released, they just hope you are late to remediate.
Top Routinely Exploited Vulnerabilities 2020: CISA Alert (AA21-209A): https://us-cert.cisa.gov/ncas/alerts/aa21-209a
But make no mistake, it isn’t just Critical and High severity CVEs that you need to worry about, - even low and medium severity vulnerabilities, when chained together can lead to full compromise.
General recommendations that are in-line with protecting against these vulnerabilities are:
Don’t leave services on if you don’t need them
Make patching and upgrading a priority
Don’t allow users administrative credentials just because they want it. Make sure there is a business need. Their primary login should be a standard user account and not an administrator account
Train users to understand that they are part of the security stack of your organization. The security controls that you have implemented in your organization don’t have magic powers and still require users to act cautiously, with mindful deliberation and with security in mind.
The best advice is to have a serious and responsive upgrade and patching program, a dedicated Vulnerability Management practice, Incident Response Management, a solid implementation of defense-in-depth with your Security Stack and cyber hygiene.
