Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report

• Apply well timed patches to programs.
• Implement a centralized patch administration system.
• Routinely carry out automated asset discovery.
• Implement a Zero Belief Community Structure (ZTNA).
• Provide chain safety practices equivalent to asking suppliers to debate their Safe-by-Design program or integrating safety necessities into contracts.

A few of these suggestions will not come as any shock to longtime cybersecurity practitioners, equivalent to the necessity to apply well timed patches or implement a patch administration system. Nevertheless, simply because one thing sounds easy, does not imply it’s simple.

Patching, whereas a longstanding greatest apply, is one thing organizations have struggled with traditionally. For instance, a report shared by the Cyentia Institute not too long ago means that the common group solely has the potential and capability to remediate one out of 10 vulnerabilities of their surroundings in a given month, resulting in an exponential improve of vulnerability backlogs as time goes on.

One other notable suggestion that could be a longstanding safety apply is having an correct asset stock. That is one which has been a CIS Vital Safety Management for years, nonetheless, organizations battle to take care of an correct asset stock and the issue has solely been exacerbated in recent times on account of elements equivalent to SaaS sprawl, ephemeral/dynamic cloud-native workloads, and the explosion of the usage of OSS parts.

CISA offers a nod to zero-trust community structure

We additionally see the decision for the usage of a zero-trust community structure (ZTNA), which has been an industrywide pattern over the past a number of years, regardless of being an idea that has been round for over a decade. Zero belief has gained great traction in each the private and non-private sectors, as organizations look to shift away from the legacy perimeter-based safety mannequin and as a substitute leverage zero-trust ideas, equivalent to these contained in NIST 800-207 Zero Belief steerage.

Lastly, we see the advocacy for software program provide chain safety practices for end-user organizations. Software program provide chain safety has continued to be a essential subject within the business, with some stories projecting 742% development of software program provide chain assaults over the previous few years.

Suggestions right here embody actions equivalent to integrating safe software program provide chain necessities into contracts with distributors and suppliers, equivalent to requiring notifications for safety incidents and vulnerabilities (vulnerability disclosure packages).

There may be additionally a suggestion to request distributors and third-party service suppliers present a software program invoice of supplies (SBOM) with their merchandise to empower transparency for end-user organizations and shoppers round vulnerabilities of their environments.

The ultimate suggestion is to ask software program suppliers to debate their secure-by-design packages. Whereas it’s extremely unlikely that anybody besides probably the most mature and well-equipped software program suppliers has an deliberately secure-by-design initiative, this suggestion is an try by CISA to make the most of market elements equivalent to buyer demand to power software program distributors to start integrating secure-by-design/default ideas into their product growth. If clients start to demand one thing, it turns into a aggressive differentiator for distributors who present it.

Whereas there isn’t any silver bullet on the earth of cybersecurity, retrospectively wanting on the habits of malicious actors can assist inform future defenses. The CISA steerage is a good perception into these malicious actions, in addition to offering key suggestions for each distributors and builders and end-user organizations to result in a safer software program ecosystem and society.