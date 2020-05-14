It has been reported that US cybersecurity agencies have outlined the top 10 most exploited software vulnerabilities across the past 4 years. The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the FBI, urges organisations in the public and private sector to apply necessary updates in order to prevent the most common forms of attacks encountered today. This includes attacks carried out by state-sponsored, non-state, and unattributed threat actors. US government officials argue that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they’d have to invest resources into developing new exploits, rather than relying on old and tested bugs.
EXPERTS COMMENTS
Eoin Keary, CEO and Cofounder, Edgescan
May 14, 2020
It’s also of importance to note that common vulnerabilities used to exploit systems are years old and not "zero day" issues.
The DHS report appears to align what we are seeing in the wild, detailed in the Edgescan Vulnerability stats report. CVEs are an attack vector which should be mitigated with good patching and/or maintenance procedures. It’s also of importance to note that common vulnerabilities used to exploit systems are years old and not "zero day" issues. Web application vulnerabilities should also be menti ....The DHS report appears to align what we are seeing in the wild, detailed in the Edgescan Vulnerability stats report. CVEs are an attack vector which should be mitigated with good patching and/or maintenance procedures. It’s also of importance to note that common vulnerabilities used to exploit systems are years old and not "zero day" issues. Web application vulnerabilities should also be mentioned, as they open organisations up to code injection attacks and client-side browser attack. Ultimately, attackers don’t care where the vulnerability is, which is why a full-stack vulnerability management approach is advised in such a fast-changing threat landscape.
[Read More >>]
[Read More >>]
Tim Mackey, Principal Security Strategist, Synopsys CyRC
May 14, 2020
The majority of the vulnerabilities listed are within Windows
Understanding attack vectors used on large scale attacks is always valuable to defenders, particularly those whose business would count as a prime target. In the CISA Top 10 Vulnerabilities Report we see confirmation that attackers do indeed exploit vulnerabilities in older software, and that the “long-tail” patch problem we’ve seen within open source is as prevalent within IT organisations ....Understanding attack vectors used on large scale attacks is always valuable to defenders, particularly those whose business would count as a prime target. In the CISA Top 10 Vulnerabilities Report we see confirmation that attackers do indeed exploit vulnerabilities in older software, and that the “long-tail” patch problem we’ve seen within open source is as prevalent within IT organisations using Microsoft software. This speaks to a need across all levels of government and within industry to fully understand precisely what software is running within their organisations, and develop a patch strategy which not only addresses ensuring systems are kept up to date, but also that if a legacy system must remain operational, that additional protections around these legacy systems be applied. While the majority of the vulnerabilities listed are within Windows, this report also highlights one of the challenges when managing open source software – accurate security information. The report highlights CVE-2017-5638 within the open source Apache Struts software as third on its top 10. This vulnerability is the one exploited in the 2017 Equifax data breach, among many more. In the mitigations section, the report provides guidance for CVE-2017-5638 that an upgrade to version 2.3.32 is advisable. That advice was valid at the point the CVE disclosure was issued, but in November 2018 the Apache Struts community issued a notification that support for Struts 2.3 would end within six months. This means that any current users of Struts 2.3 are no long receiving security updates. Unlike commercial software vendors who are able to push updates to their customers, consumers of open source software must proactively engage with the communities creating their software in order to become aware of important milestones like end of support. This observation is one of the key findings in the 2020 Open Source Security and Risk Analysis (OSSRA) report issued by Synopsys on May 12th.
[Read More >>]
[Read More >>]
[Read More >>]