The Cybersecurity and Infrastructure Security Agency (CISA) published Alert AA20-133A to their “top 10” routinely exploited vulnerabilities this week. While it is informative and a useful centralized source of information, it comes across as just another datapoint to overwhelm asset owners (or maybe it’s not if CISA is aiming for professionals mostly).
Before I continue with my perspective, let's keep in mind these main considerations:
- There have been two growing trends by various actors:
- Weaponized software using aging known vulnerabilities (either for sale, or for selfish purposes)
- Exploits targeting infrastructure and applications that are used for network connectivity or used for remote access (e.g., VPNs)
- These vulnerabilities are not everywhere, but multiple steps/vulnerabilities may be required to successfully exploit a flaw. (e.g., network access to a system, that has legacy OLE applications, which can then be used to infect other systems…)
- The presence of a vulnerability does not mean exploitability nor increased risk
With those considerations in mind, here are my quick positives:
- The alert is a great summary, and a link I would send to a specific audience of friends and contacts for a niche reason
- Focuses on updating applications and Operating Systems but does not really acknowledge compensating controls as an effective option in the OT space for managing vulnerabilities & endpoints, which often possess THE vulnerabilities.
- The recommendation of update library and software components like .NET is fair, but that is also a nitpick– IF you can (this deserves an entire article on its own)
- Notes malware/groups that are actively exploiting a vulnerability (which can be a great criterion when prioritizing vulnerabilities)
- Disable, harden, or isolate endpoints/applications that use Microsoft Object Linking and Embedded for various communications IF possible (e.g., OPC & SMB in many cases).
- Deny, limit and track network connections (e.g., use your firewall properly, segment hosts, and act on any alert from new/anomalous network flows)
- Protect against any attempt that target vulnerabilities in Remote Desktop (RDP), Terminal Services, VPNs, and other remote software/infrastructure (e.g., Citrix, Checkpoint, PulseSecure, Cisco, PaloAlto, Juniper etc…)
And the negatives (nitpicks):
- CISA’s “top” vulnerabilities do not map entirely to CVEs relevant to critical infrastructure and industrial control systems/OT. E.g., Drupal - what does an Opensource CMS have anything to do with process control…?
- The common mitigation of: “update affected Microsoft products with the latest security patches” is a clumsy blanket statement that does not apply in every situation
- Naming a technology such as Office365 due to its likelihood to be used by an asset owner (especially with CovID) is like carpet bombing a forest for an ant nest; the how & extent is essential in order to understand a vulnerabilities actual likelihood of exploitation
- Creates more mud in the vulnerability swamp; more issues to be flagged, and little in the way of how to deal with them across People, Process, and Technology (PPT)
For this article to be helpful to asset owners, CISA should have offered more context on topics that reduce risks vs. merely reporting on exploit metrics:
- Better categorization of risks, vs. calling out the “observed” usage of CVE’s themselves. The vectors (or CPEs) are far more important to enumerate and derive risk to an organization
- Stating that software supply chain/component risk are one of the leading sources of vulnerabilities (whether being reported/disclosed or exploited) was not noted. This is bad because the same library (e.g., .NET) can be used in many products, and by many vendors. Guidance and solutions are needed here if vendors cannot (or will not)
- Note that most vulnerabilities are exploitable by being networked/connected, but that they also reside on hosts that can often be managed. This is the network enabled attack surface, but also the participants externally, internally, and at the edges of… Nation states, whatever APT are always poking at systems attached to the Internet, the real problem is determining if anything is awry vs. the usual noise
- Provide more prescriptive advice on a vulnerability in the form of: if you are a. and have b. and are using it for c. then be concerned and investigate X supplementary material
- Engage in less perpetuation of some common OT cybersecurity myths. Vulnerability management can be effectively done in OT environments in a variety of situations without massive investments in time or efforts
- And the lack of understanding/meaningful remediation strategies that to secure an organization REQUIRES both network & ENDPOINTS security
Don’t get me wrong, regular and timely updates are great for the right individual/audience (e.g., I quickly skim it when I grab my first morning coffee), but alerts such as this one can be made better for the audience communities such as this are supposed to protect; it was just more of the same, and missed the why should I care, and what should I do about it.
Information needs a purpose, and it needs clarity, context for usage and action. Otherwise, it will never provide its true potential.