Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities (May 12, 2020)
Available at https://www.us-cert.gov/ncas/alerts/aa20-133a
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have issued an alert to urge IT security professionals to prioritize patching the most commonly known vulnerabilities exploited by sophisticated foreign cyber actors. Noting that fewer resources are needed to exploit publicly known vulnerabilities as compared to zero-day exploits for which patches are unavailable (see our Checkpoint article), the alert indicates that a concerted campaign by U.S. organizations to patch known vulnerabilities would force malicious actors to develop or acquire exploits that are more costly and less widely effective. Details are provided on routinely exploited vulnerabilities to help organizations focus their defenses on observed adversarial actions.
The alert identifies the 10 most exploited vulnerabilities from 2016-19 and suggests that failure to patch these flaws encourages malicious actors to continue to exploit them. It then notes that additional vulnerabilities are being exploited routinely in 2020, including unpatched Virtual Private Networks. Due to the abrupt shift to remote work occasioned by the COVID-19 pandemic, malicious cyber actors are also targeting organizations whose hasty deployment of cloud collaboration services may have resulted in oversights in security configurations and left them vulnerable to attack. Furthermore, poor employee education on social engineering attacks (e.g., phishing) and a lack of system recovery and contingency plans have continued to make organizations susceptible to ransomware. The alert provides a lengthy list of mitigations for each of the identified vulnerabilities and suggests resources to help manage risks and vulnerabilities.
EBIA Comment: The information in this alert will be familiar to those responsible for HIPAA security compliance programs. HHS has previously provided HIPAA guidance specific to cloud computing (see our Checkpoint article) and has emphasized workforce training and contingency plans as a defense to ransomware attacks (see our Checkpoint article). HIPAA concepts can be useful beyond their legal boundaries to help establish a cybersecurity strategy. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIX.E (“Developing Your Security Program”) and XXX (“Core Security Requirements”). You may also be interested in our webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 5/14/20).
Contributing Editors: EBIA Staff.