[BreachExchange] If a Cyber Security Report Falls in a Forest, Is Anyone Listening?

Destry Winant destry at riskbasedsecurity.com
Tue Jun 23 10:27:14 EDT 2020


This article started off as an extended conversation between me and a
close colleague about a report. But it was not just any report – it
was a report from US-CERT no less and the conversation quickly turned
into one of my classic, assertive and insightful analyses – some may
call it a “rant” – of shameful Cyber Security failures.

What is odd to me, is the purely negative data was not embraced by
vendors nor the InfoSec press and the report had little fan fair
associated with it. I was always under the impression that “bad news”
sold but perhaps it’s six pages of raw brutality were more than anyone
wants to hear.

The Report is here. I have a problem with it and if you’re in our
cyber security industry you should too.

Have a good read through it – I’ll wait for you to finish. One way to
look at this report is a “State of the Blue Team” and the state is
ugly. Another way to look at the data is It’s a call to action and
it’s by far the worst “state of the industry” report I have seen.

It also happens to contain a list of the most likely reason
organizations continues to get rolled by cybercriminal malware in
increasing numbers. So, what about this report has me so frothing at
the mouth angry? Two things really. “Top 10 Most Exploited
Vulnerabilities 2016–2019.”

CVE-2012-0158 & CVE-2015-1641. It’s amazing to me that at the top –
the top being the operative word here – most exploited vulnerabilities
we have one vulnerability that is eight years old and one that is five
years old. This tells us so much about the “global vulnerability
picture” and it feels like – at least when it comes to Microsoft
Office – we have made minimal progress. What is wrong with
organizations which can’t seem to patch in an eight or five-year

I think it’s time to have a shout-y conversation because we need to
start understanding where the line between vulnerability management
incompetence turns into vulnerability management and by proxy
organizational negligence? I think it’s somewhere between eight and
five years. There is more data here and it also brings to light two
more uncomfortable truths.

Hide your IP address & surf Internet anonymously with IPVanish

One, all of the “Top Most Exploited” have patches available and two,
If you patched yearly you would have mitigated all of them. That’s
right. A yearly patch cycle and you have a 0% chance of being pwnd by
anything coming at you exploiting the “Top Most Exploited” but
apparently that seems to be too much to ask.

Data is how we are supposed to making decisions. Everyone wants to
measure everything but then why the hell do we ignore data on
vulnerabilities from 2012 & 2015 that are taking down organizations –
Is it cognitive dissonance, burn out, misplaced faith in anti-virus
software, or what?

Simply put we got a US-CERT report card on vulnerability management
and the team could be doing a lot better job.

We keep hearing “we need better tools and/or data to fight cybercrime”
but when a report comes out from an authoritative source and it tells
us *exactly what we should do* it seems to get 0.0 percent coverage.

I think it’s fair to say that the issue of vulnerabilities in
organizations exploitable by malware targeting CVE’s from 2012 and
2015 may not rest only on the shoulders of the IT security or IT
Department – my guess is there is a stack of legacy tech or historical
– and tragic – lack of life cycle management happening. That’s OK.
Here is a cyber anger management plan – get permission from your
organization to do this first.

1. Download OPEN VAS here.
2. Scan your infrastructure
3. Prioritize your patching, updating and life cycle management
program to get rid of the most vulnerable items
4. Make sure you have solid backups
5. Test some of the patches to make sure it does not disrupt the functionality
6. Roll them out.

Here is the secret for those of you looking to get into the profession
and find yourself in an interview. This is your plan to make the
organization secure – and far less embarrassed if it gets pwnd –
hopefully not from a five-year-old (or worse) vulnerability.

Be armed with a plan to enumerate the organization for these “Top Most
Exploited“, with a plan to test the patches and then deploy those
patches for the vulnerabilities – that would be pretty impressive. And
apparently, you would also be ahead of many of the folks already
working in the cyber security profession.

Take this advice as a career guide to success and make a commitment to
make, what US-CERT feels is a really terrible state of affairs a lot
better for your organization.

More information about the BreachExchange mailing list