ADVICE ON countering the most publicly known – and often dated – software vulnerabilities has been published for private and public sector organisations worldwide. The National Cyber Security Centre (NCSC), the Cyber Security and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC) and the Federal Bureau of Investigation (FBI) have issued a joint advisory highlighting 30 vulnerabilities routinely exploited by cyber actors in 2020 and those being exploited in 2021.
In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. The advisory lists the vendors, products and CVEs, while at the same time strongly recommending that organisations prioritise patching those that are listed.
Paul Chichester, the NCSC’s director for operations, stated: “We’re committed to working with allies to raise awareness of global cyber weaknesses and also present easily actionable solutions to mitigate them. The new advisory puts the power in every organisation’s hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices. Working with our international partners, we will continue to raise awareness of the threats posed by those that seek to cause harm.”
As well as alerting organisations to the threat, this new advisory directs public and private sector partners to the support and resources available to mitigate and remediate these vulnerabilities.
Guidance for organisations on how to protect themselves in cyber space can be found on the NCSC’s website (www.ncsc.gov.uk). Indeed, the organisation’s ‘10 Steps to Cyber Security’ collection provides a summary of advice for practising security and technical professionals.
On the mitigation of vulnerabilities, network defenders are encouraged to familiarise themselves with guidance on establishing an effective vulnerability management process. Elsewhere, the NCSC’s Early Warning Service also provides vulnerability and open port alerts.
Best Practice in cyber security
Eric Goldstein, CISA’s executive assistant director for cyber security, commented: “Organisations that apply Best Practice to cyber security, such as patching, can reduce the risk posed to them by cyber actors attempting to exploit known vulnerabilities in their networks.”
Goldstein added: “Collaboration is a crucial part of CISA’s work and we’re delighted to partner with the ACSC, the NCSC and the FBI to highlight cyber vulnerabilities that public and private organisations alike should prioritise for patching to minimise their risk of being exploited by malicious actors.”
Bryan Vorndran, assistant director of cyber at the FBI, explained: “The FBI remains committed to sharing information with public and private organisations in an effort to prevent malicious cyber actors from exploiting vulnerabilities. We firmly believe that co-ordination and collaboration with our federal and private sector partners will ensure a safer cyber environment to decrease the opportunity for these actors to succeed.”
In conclusion, Abigail Bradshaw CSC (head of the ACSC) said: “This guidance will be valuable for enabling network defenders and organisations to lift collective defences against cyber threats. This advisory complements our advice available through cyber.gov.au and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity.”