International agencies warn risk managers must update systems to avoid cyber attacks

A joint advisory from agencies in the UK, Australia, Canada, New Zealand, and the USA has revealed the top 12 cyber vulnerabilities that were routinely exploited last year.

The allies are warning organisations about the importance of updating systems after malicious cyber attackers were seen routinely targeting older software vulnerabilities in 2022.

More than half of the top vulnerabilities listed for 2022 also appeared on the previous year’s list.

This highlights how malicious cyber actors target previously disclosed flaws in internet-facing systems – despite security updates being available to fix them.

Attackers generally see the most success exploiting known vulnerabilities within the first two years of public disclosure and likely target their exploits to maximise impact, emphasising the benefit of organisations applying security updates promptly.

“To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design”

In addition to the top 12 list, the advisory also provides technical details about 30 other routinely exploited vulnerabilities, alongside mitigation advice to help organisations and software developers reduce the risk of compromise.

Jonathon Ellison, NCSC Director of Resilience and Future Technology, said: “To bolster resilience, we encourage organisations to apply all security updates promptly and call on software vendors to ensure security is at the core of their product design to help shift the burden of responsibility away from consumers.”

You can view the list of vulnerabilities here.

How to mitigate the risks

The authoring agencies recommend end-user organisations implement the mitigations below to improve cybersecurity on the basis of the threat actors’ activity.

These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organisations implement.

They are based on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. 

1) Vulnerability and configuration management

• Update software, operating systems, applications, and firmware on IT network assets in a timely manner.  Prioritise patching known exploited vulnerabilities, especially those identified in this briefing, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
  • Replace end-of-life software (i.e., software no longer supported by the vendor).
• Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.
• Implement a robust patch management process and centralised patch management system that establishes prioritisation of patch applications.
  • Organisations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs).
    Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers.
    However, MSPs and CSPs can expand their customer’s attack surface and may introduce unanticipated risks, so organisations should proactively collaborate with their MSPs and CSPs to jointly reduce risk.
• Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline.
• Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly.
• Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk-informed time frame to ensure its effectiveness.

2) Identity and access management

• Enforce phishing-resistant multifactor authentication (MFA) for all users, without exception. 
• Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords.
• Regularly review, validate, or remove privileged accounts (annually at a minimum).
• Configure access control under the principle of least privilege  
  • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible).

3) Protective controls and architecture

• Properly configure and secure internet-facing network device s, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices 
  • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.
  • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.
  • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
• Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks.
• Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement.
  • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets.
  • Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device.
  • Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions.
  • Use a network protocol analyser to examine captured data, including packet-level data.

4) Supply chain security

• Reduce third-party applications and unique system/application builds —provide exceptions only if required to support business-critical functions.
• Ensure contracts require vendors and/or third-party service providers to:
  • Provide notification of security incidents and vulnerabilities within a risk-informed time frame.
  • Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities.
• Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.