New Security Vulnerabilities: How Should You Respond?

Cybercrime has exploded in growth over the past several years to levels that are stunning to contemplate. To put it into perspective, consider these facts: 

• In 2009, the total reported malware infections worldwide was 12.4 million. By 2018, that number had risen to 812.67 million.
• If cybercrime were measured as a country’s economy in 2021, it would be the third largest in the world. With total damages of $6 trillion, it trailed only the United States and China.

With so much money at stake, it’s not surprising that there is a seemingly endless supply of news stories and updates about the latest threats, along with updates from cybersecurity agencies. On average, security researchers documented 55 common vulnerabilities and exposures on average each day of 2021 – more than 20,000 in total. In addition, the phenomenon of the “celebrity vulnerability” has become a trend of late, generating coverage not just in the trade publications but general interest news outlets such as the New York Times, USA Today, CNN, and CBS.

 All of this demonstrates that organizations in all sectors need high-performing security teams. Such teams can keep on top of the attack vectors that threat actors are employing and cover up their infrastructure’s critical flaws before damage is done. 

In theory, the reports of new threats would seem to be valuable in helping security teams keep abreast of the latest attack vectors to guard against. But it’s not so simple. 

 Recent Reports Convey the Confusion

 Let’s look at some of the reports from the time period of March and April of 2022. On April 25th, the Cybersecurity and Infrastructure Security Agency (CISA) listed seven new vulnerabilities to the Known Exploited Vulnerabilities Catalog and informed federal agencies that they needed to respond to these threats by a specified date. It also suggested that organizations of all sorts – not just federal agencies – add these vulnerabilities to their catalogs of vulnerabilities.

That report only gives a hint at the number of warnings about vulnerabilities that CISA gave during that time period. Besides the April 25th report, that month CISA provided a list of known and exploited vulnerabilities on April 4, 6, 11, 13, 14, 15, and 19. The previous month it alerted readers to vulnerabilities through updates provided on March 3 (95 such vulnerabilities on that date alone), as well as March 7, 15, 25, 28 and 31.

The total for the two-month period: 271.

But that is just one category of information that security teams are expected to absorb and react to. One of the others is a list of updates that vendors share that security teams may need to install as part of their vulnerability management system to safeguard their infrastructure. 

For example, VMware announced on April 6th that it had found eight vulnerabilities across their products, three of which did not require authentication before exploitation and were assigned high vulnerability scores (CVSSv3 of 9.8). It provided patches to address the vulnerabilities and confirmed that at least one of the vulnerabilities had been exploited by April 13th. The vulnerability was such that the threat actors could bypass typical defenses such as antivirus (AV) and endpoint detection and response (EDR).

VMware warned that the patching was to be implemented as soon as possible. “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” the company wrote. 

As important as that patch was to any organization using the affected VMware products, patching is also a never-ending activity. In fact, patching of vulnerabilities has been so commonplace for so long that Microsoft started something it called “Patch Tuesday” in 2003. Now many vendors have their own Patch Tuesdays – a once-a-month patch release for vulnerabilities of some concern. Emergency patches of more critical security vulnerabilities are released whenever they are available.

The Up-and-Down Reaction to Celebrity Vulnerabilities

Perhaps the most perplexing vulnerability to address these days is the one that falls into the “celebrity” category. These are the ones that are deemed so significant that their existence is reported far beyond the trade publications, which means they get noticed by the top levels of an organization. Board members will not only be alarmed by such accounts; they’re also likely to want reassurance the vulnerability is addressed quickly and completely. 

That can lead to a house-on-fire reaction by the security team, at least for a while. Celebrity vulnerabilities have the unfortunate tendency to draw too much attention initially – teams not affected by it may need to spend days proving to misinformed executives that they are not suffering the consequences.

Curiously enough, the celebrity vulnerabilities can overwhelm teams so they end up not fully addressing them. After a few months, the executives stop paying attention, so the vulnerability continues to be exploited, potentially causing significant damage. This can be due to simple fatigue, but it can also be due to inadequate resources to address the vulnerability, including tools and personnel. 

And this leads us to our final article from this time period, one that appeared on April 26th on BleepingComputer.com with the title “Public Interest in Log4Shell fades but attack surface remains.” The article says that four months after Log4Shell was discovered, “the application of the available fixes is still way behind.” Data from Google’s Open Source Insights showed that of 17,840 open-source packages using Log4J, only 7,140 had upgraded to a fixed version. The problem may be due to several factors, the article says, including “proper vulnerability management processes and poor visibility.”

High-performing security teams are able to stay above the din of vulnerability alerts and focus on what matters. It’s not easy and never will be, but it should be the goal of every CISO and security team. To do this effectively requires a unified threat solution. NopSec helps security teams prioritize and manage their security vulnerabilities based on their unique environments. NopSec’s Unified VRM helps you remediate the risks that are most likely to be weaponized against your organization and cut through the noise around security vulnerabilities. 

Don’t be distracted by the vulnerabilities that make a big splash in the news but don’t actually impact your organization. Watch Celebrity Vulnerabilities 101 here. 

FAQs

Question: What are new security vulnerabilities? 

Answer: New security vulnerabilities are ones that are reported by agencies and news organizations on an almost daily basis. Because of the large number that accumulates over time, it is difficult to determine how to respond.

Question: What is a celebrity vulnerability?

Answer: A celebrity vulnerability is one that is deemed significant enough to have its own special name (often provided by the threat actors themselves). Typically these vulnerabilities are highly dangerous and widely spread.

Question: Are all vulnerabilities equally dangerous?

Answer: No. A new vulnerability is only clearly dangerous if it is known to be exploited by cybercriminals. Many are not.