Cybersecurity advisory highlights top vulnerabilities of 2023

A new advisory has been issued by leading cybersecurity agencies across the United States, Australia, Canada, New Zealand, and the United Kingdom, identifying vulnerabilities that are frequently exploited in 2023.

The advisory, coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) along with other international cyber agencies, has highlighted Common Vulnerabilities and Exposures (CVEs) targeted by cyber threats and provided techniques to remediate these risks. The document aims to increase awareness and offer actionable guidance to improve security protocols.

Avishai Avivi, Chief Information Security Officer (CISO) at SafeBreach, emphasised the recommendations outlined, noting that the document "provides clear, observation-based recommendations that all readers can apply to their respective environments." Avivi pointed out a gap in the recommendations, adding, "it lacks a pivotal recommendation for end users and organizations to test and validate their security controls."

The advisory reports a shift in malicious targeting from personal accounts to enterprise networks in 2023. Avivi explained, "This shift in focus is evident in the top vulnerabilities that the agencies observed." He added that focusing on enterprise infrastructure can lead to more significant breaches, hence the agency's recommendation for developers and vendors to produce secure-by-default products.

Additionally, the advisory highlighted that actors continue to exploit vulnerabilities that have been publicly known for up to two years. This observation underscores the importance of timely patching by end users and organisations. Avivi noted, "Malicious actors would only use attacks leveraging old vulnerabilities because they know there are still enough targets out there that haven't patched them."

In terms of technical guidance, the advisory recommends developers and vendors employ secure development processes and practices. Avivi remarked, "Utilizing security-centered development processes and practices to address the issue at the root is simpler, faster, and more cost-effective than deploying patches to the end users and hoping they apply them on time."

In addition, implementing bug-bounty programs was recommended to foster collaboration with security researchers. However, Avivi noted limitations in the effectiveness of such programs: "Unfortunately, the economy of scale makes it more profitable for the researchers to sell their findings to the malicious actors than for a much smaller reward from the bug-bounty program."

The advisory has also identified that more advanced detection capabilities have enabled the discovery of major vulnerabilities. The advisory outlines the top 30 routinely exploited vulnerabilities categorised into two groups: network devices and systems, and enterprise infrastructure applications and systems. Distinct exceptions such as Log4J and HTTP/2 modules were also listed. Avivi found this encouraging, seeing it as an indication of improved dependency practices among developers and vendors.

Finally, the advisory elaborates prescriptive steps for both developers, product vendors, and end-users to counteract these security challenges. Despite this, Avivi reiterates the importance of testing and validation, drawing an analogy, "Please think of this as a car manufacturer putting a seatbelt or an airbag in a new car model without testing that they will function in case of an accident."

To prevent such exposure to security risks, the advisory reinforces the necessity for organisations to incorporate rigorous testing of their security infrastructure as part of their routine checks to ensure functionality and adherence to security advisories.