Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report

• Apply timely patches to systems.
• Implement a centralized patch management system.
• Routinely perform automated asset discovery.
• Implement a Zero Trust Network Architecture (ZTNA).
• Supply chain security practices such as asking providers to discuss their Secure-by-Design program or integrating security requirements into contracts.

Some of these recommendations won’t come as any surprise to longtime cybersecurity practitioners, such as the need to apply timely patches or implement a patch management system. However, just because something sounds simple, doesn’t mean it’s easy.

Patching, while a longstanding best practice, is something organizations have struggled with historically. For example, a report shared by the Cyentia Institute recently suggests that the average organization only has the capability and capacity to remediate one out of 10 vulnerabilities in their environment in a given month, leading to an exponential increase of vulnerability backlogs as time goes on.

Another notable recommendation that is a longstanding security practice is having an accurate asset inventory. This is one that has been a CIS Critical Security Control for years, however, organizations struggle to maintain an accurate asset inventory and the problem has only been exacerbated in recent years due to factors such as SaaS sprawl, ephemeral/dynamic cloud-native workloads, and the explosion of the use of OSS components.

CISA gives a nod to zero-trust network architecture

We also see the call for the use of a zero-trust network architecture (ZTNA), which has been an industrywide trend over the last several years, despite being a concept that has been around for over a decade. Zero trust has gained tremendous traction in both the public and private sectors, as organizations look to shift away from the legacy perimeter-based security model and instead leverage zero-trust principles, such as those contained in NIST 800-207 Zero Trust guidance.

Finally, we see the advocacy for software supply chain security practices for end-user organizations. Software supply chain security has continued to be a critical topic in the industry, with some reports projecting 742% growth of software supply chain attacks over the last few years.

Recommendations here include activities such as integrating secure software supply chain requirements into contracts with vendors and suppliers, such as requiring notifications for security incidents and vulnerabilities (vulnerability disclosure programs).

There is also a recommendation to request vendors and third-party service providers provide a software bill of materials (SBOM) with their products to empower transparency for end-user organizations and consumers around vulnerabilities in their environments.

The final recommendation is to ask software providers to discuss their secure-by-design programs. While it is incredibly unlikely that anyone except the most mature and well-equipped software providers has an intentionally secure-by-design initiative, this recommendation is an attempt by CISA to utilize market factors such as customer demand to force software vendors to begin integrating secure-by-design/default principles into their product development. If customers begin to demand something, it becomes a competitive differentiator for vendors who provide it.

While there’s no silver bullet in the world of cybersecurity, retrospectively looking at the behavior of malicious actors can help inform future defenses. The CISA guidance is a great insight into those malicious activities, as well as providing key recommendations for both vendors and developers and end-user organizations to lead to a more secure software ecosystem and society.