The top National Security Teams are yelling at you to fix your network. The Joint Advisory is not a simple act of collaboration. The first 12 are highlighted for a reason. We do not know the insider reasons other than they are ACTIVELY EXOLIOTED with NOT ENOUGH ORGANIZATIONS MITIGATING that are PUTTING ORGANIZATIONS at RISK.
US CISA, UK NCSC, NZ CERT/NCSC, Australia’s ACAC, and Canada’s CCCS all focus on protecting their national’s critical infrastructure. Read between the lines! These agencies are yelling, “Get these vulnerabilities fixed!!”
These 24 vulnerabilities are in Shadowserver Foundation’s free Cyber Civil Defence Reporting. The first step is to subscribe to the reports and use them to find vulnerable devices in your organization. This report is free – a public benefit – and would be your first “Attack Surface Detection” tool ….. A public benefit cybersecurity tool that does not cost you money – your team must allocate the time needed to fix your network.
Why the Urgency of a Joint Advisory?
Look at what six agencies all approved in their language:
Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded.
Patching works. But patching is best if you can see vulnerable devices on your network (i.e., get the Shadowserver reports). Notice the “first two years” highlight. Your network might be exposed, you might be waiting for a future time to patch, and you might be thinking, “We have not been hit yet.”
Six top national cybersecurity agencies are saying, “DO NOT WAIT!” The malicious cyber actors are persistent. They have a lot of targets. Your turn will come in time.
Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).
This is experience talking. These agencies are saying to focus on what you can fix right now. Make life hard for the miscreants.
In the Seven Habits of Highly Effective Cybercriminals, principle #2 is Don’t Work Too Hard. Force the malicious cyber actors to work harder.
Fixing everything presented on the daily Shadowserver Foundation’s free Cyber Civil Defence Reporting will reduce your risk. Try a week of “fixing all the broken things” on your Cyber Civil Defence Report and see how you feel when the “visible risk” is silenced.
Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs.
Criminal cyber actors focus on the return on investment. How much time will it take to get payment for their actions?
Prioritize your cyber hygiene habits by fixing the most visible and exposed risks first.
While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years.
See the repeated theme …. “Low-cost” to develop …. “High-Impact” with a high ROI … knowing that organizations are not going to patch for years … meaning the development time of the exploit has a long-term return.
Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets’ networks.
“Specific target’s networks” is the critical point. That means malicious cyber actor operations focus on targets of top concern.
In Summary …. why are these National Security Teams Alerting Now?
This might seem like “last year’s threats.” To me, these are a shout-out to check my networks, make sure all of these CVEs are remediated, pull down Shadowserver Foundation’s Cyber Civil Defence Report, fix everything listed in those reports, and then hunt in my network for the miscreants who most likely go into the network through one of these 24 vulnerabilities.
National Security Teams do not waste their time publishing alerts on last year’s vulnerabilities unless there is a reason. We’re seeing the top of the iceberg, TLP: CLEAR. We are not privy to TLP: RED and Classified details about ongoing malicious cyber actor operations. Take a moment and think. These National Security Teams are saying is that your actions to fix these CVEs will disrupt malicious cyber actor operations.
Are you looking for more practical, public-service Security Advice?
- Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – firstname.lastname@example.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.