Lessons Learned from the Top 12 Most-Exploited Vulnerabilities
The United States Cybersecurity and Infrastructure Security Agency (CISA), NSA, and FBI, working with the UK, Australian, Canadian, and New Zealand governments, recently published a list of 2022's Top 12 most routinely-exploited vulnerabilities in the wild, and it’s a doozy.
Among these are vulnerabilities in products by leading vendors, including Microsoft Exchange, Atlassian Confluence, and VMware Identity Manager. These vulnerabilities could set the stage for substantial attacks, such as:
- Arbitrary Code Execution: the ability to run any code specified by an attacker on a compromised machine or network
- Authentication Bypassing: gaining unauthorized access to a restricted system
- Full System Control: an attacker being able to do nearly whatever they want on a system
Obviously, companies should want to patch these vulnerabilities as quickly as possible to prevent millions (or billions) of dollars in potential damage to themselves and their customers. That assumption, however, doesn’t square with the CISA report:
“Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure.”
Excuse me, what?
Within the first two years?
Why companies can’t or don’t patch their systems quickly, if at all, deserves an article of its own. At a high level, a key reason for not applying patches is the complexity of doing so and the fear of unintended consequences of the patch on employees, products, and customers.
This hesitation isn’t completely unreasonable — there is a real tradeoff between the risk of a breach and rushing a fix that could harm the business in unforeseen ways. But in 2023, the best option on the table cannot be to allow hackers total control of corporate systems and customer data for several years.
There is a straightforward way to resolve this “security vs. stability” tradeoff:
If systems are so complex as to make patching risky, reducing network complexity will reduce the attack surface.
If a business has fewer risky systems and architectures, there will necessarily be fewer exploits, fewer cybersecurity headaches, (usually) fewer costs, and, of course, far fewer maybe-dangerous patches that need to be applied.
Let’s put this theory to the test. Using some examples from this CISA report, let’s see how these top vulnerabilities could have played out if corporate architectures were more streamlined and fundamentally secure by design:
Problem: Fortinet VPNs allowed intruders to download arbitrary system files that could potentially contain sensitive corporate information and/or information that could be used for further exploits.
Risks to Business: Could result in a leak of sensitive data, trade secrets, and customer data; information could be gained by attackers to make further incursions.
Solution: VPNs in general are overbroad and overused. Once a user is blessed through the VPN “gate”, they usually gain relatively unrestricted access to the entire network. Replacing VPNs with a process-to-process tunneling approach would protect other data and devices on the network and fundamentally would keep out intruders scanning for open ports to find vulnerabilities and entry points.
CVE-2021–34473, CVE-2021–31207, CVE-2021–34523
Problem: This attack on Microsoft Exchange servers is due to an exploitable open port 443 for inbound traffic. An attacker can then use several vulnerabilities to perform arbitrary code execution.
Risks to Business: Could result in a complete network and server compromise, leaked data and trade secrets, and the theft of customer data.
Solution: Open inbound network ports are simply not needed. Solutions exist on the market that easily facilitate outbound-only communication between two devices/servers. There’s no need to play whack-a-mole with complex firewall rules or black-box AI firewalls. All inbound traffic can be rejected without reducing functionality for legitimate users, eliminating the risk of a malicious actor being able to exploit this vulnerability through an open inbound port.
Problem: Through a (very simple) crafted request, a malicious actor could achieve remote code execution on web-facing Atlassian Confluence and Data Center servers.
Risks to Business: Could result in complete network and server compromise, the leaking of sensitive data & trade secrets, and the theft of customer data
Solution: There is no reason that Atlassian servers for corporate use, even for remote users, need to accept inbound traffic from anyone on the Internet. Similar to the Microsoft CVEs above, the existence of easy-to-use tunneling solutions that are outbound-only makes these risks unnecessary. If inbound access were disallowed, this vulnerability would no longer be exploitable by a third-party actor.
In each of these examples, which are some of the most frequently exploited vulnerabilities of last year, system architecture and design choices were the deciding factor between these vulnerabilities being show-stoppers or non-concerns.
CISA itself acknowledges the importance of network design in shrinking the exploitable attack surface and fighting back against attackers while advocating for the implementation of “secure-by-design” principles.
While many companies focus on product-market fit, new product development, and fundraising, attackers continue to hone their skills and cause increasing damage to otherwise successful businesses.
Xiid’s cybersecurity, identity, and resource access offerings are built from the ground-up to reduce the enterprise attack surface. Its proprietary Zero Knowledge Networking (ZKN) architecture was battle-tested by U.S. Air Force penetration tests which demonstrated the “…near invisibility of the product externally.” It’s pretty tough to attack a network that’s nearly invisible.
The root cause of many critical vulnerabilities is clear: the complex design of corporate infrastructure. It’s up to each company to decide whether to gamble with this unneeded complexity or take it out of the equation altogether, automatically mitigating many top vulnerabilities of today and tomorrow.
