Security vulnerabilities: you don’t know what you’re missing
It seems that a week hardly ever goes by without another IT security issue making the headlines somewhere. Perhaps on specialist websites or social media or even national media on occasion. I regularly receive enquiries from eagle-eyed clients asking if we are using one tool or another that’s been identified with a vulnerability. Checking your supply chain is a good thing – but how do we know what’s out there in the wild and just how much is there?
The Cybersecurity and Infrastructure Security Agency, a US government agency more commonly known as CISA, maintains an up-to-date reference that’s freely available on the internet and worth a regular look. Originally intended for US federal civilian agencies, CISA highly recommends that businesses review and monitor it too. Everything listed in its “Known Exploited Vulnerabilities Catalog” is there based upon “evidence of known exploitation”. The list currently contains items that were added since November 2021 and as CISA say in their latest bulletin, “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk”. The number of items in the list when I looked today?
Think about that for a moment. 613 vulnerabilities all of which are known to have been exploited. They are not theoretical vulnerabilities, they are not reports from the lab or right-minded people sharing some new information, they are real, they are out there and there are reports of all of them being exploited. As one of the criteria for inclusion states:
“There is reliable evidence that the vulnerability has been actively exploited in the wild.”
There’s no particular theme either. Name a platform and it’s probably there. Business and home networking; development kits; storage systems; drivers; popular applications and almost every operating system you can think of.
The list is searchable, and each entry includes a brief description, a link to the associated and highly detailed NIST CVE report, and a recommended action. In most cases, the action is pretty simple: “Apply updates per vendor instruction”. Thank goodness, then, that a second criterion for inclusion states that:
“There is a clear remediation action for the vulnerability, such as a vendor provided update.”
Keeping software up to date has never been so important.
The CISA's Known Exploited Vulnerabilities Catalog details 613 vulnerabilities. Keeping your software up to date has never been so important. Click To Tweet