A new report from the US National Security Agency outlines the 25 vulnerabilities most commonly targeted by Chinese sponsored hackers.
Exploits for these vulnerabilities are already publicly available, but so are the patches for these flaws.
Ciaran Byrne, head of platform operations at Edgescan, provided the follwing analysis:
The details published today by the NSA of the top 25 vulnerabilities being leveraged by state-sponsored hackers is a stark reflection on patching policies of organizations. There are vulnerabilities dating back over 3 years in the list, which should have been addressed by now.
It’s important to have a procedure in place to update vulnerable software as soon as possible from the date the fix has been released. Sometimes it is not always practical or possible to update software straight away as certain elements rely on a specific version or the update requires scheduling downtime, however, a plan and a timeline should be put in place. Organisations should be asking the questions:
- Why it can’t be patched now?
- Is the software we are using/system using the software so out of date that we need to change it?
- What can we do to protect ourselves while unpatched?
- Allow access to specific ports only from a predefined list of IPs by using a firewall, or block access to the system using the software from the internet completely
- Is the current risk associated low enough to not patch – no sensitive information could be stolen, no other systems are connected, no possibility of leveraging the exposed vulnerability into something more nefarious? This risk assessment should be carried out by trained professionals
- When will we patch?
Commenting on the news, dr. Anton Grashion, an EMEA director at Corelight, added:
“Organisations should have a vulnerability patch management system in place, but when it comes to multiple bugs being leveraged as entry points it becomes harder to prioritise their severity and the urgency to patch. Ideally, all software vulnerabilities would be addressed as soon as the vendor is made aware and releases a patch. This is especially true for high profile targets such as governmental agencies, but also healthcare providers and educational institutions.
However, operational reasons often dictate that the pace of updates is sub-optimal when viewed through a cybersecurity lens. In these instances, wherever upgrading isn’t possible, it is advisable to have a network monitoring system in place, which should be equipped to detect the signs of an attempt to exploit known vulnerabilities, and could also provide detailed visibility into lateral movement through an organization’s network. This is also vital as a forensic tool should a security incident occur.”
