CISA overhauls vulnerability management, focuses on CVEs under active exploit

Dive Brief:

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly issued her first binding operational directive (BOD), instructing federal civilian agencies to "drive urgent and prioritized remediation" for actively exploitable vulnerabilities. As branches of the military and national security, the Department of Defense, CIA, and Office of the Director of National Intelligence are excluded from the BOD.
The government-wide requirement is for patching vulnerabilities that impact internet- and non-internet-facing assets, the agency said. As part of the directive, CISA established an exploitable vulnerability catalog, identifying more than 18,358 bugs in 2020.
The current catalog includes about 200 vulnerabilities uncovered between 2017 and 2020, with another 90 found year-to-date in 2021. Of the 18,358 CVEs found in 2020, more than half — or 28 per day — CISA classifies as "critical" or "high severity," the BOD's fact sheet said.

Dive Insight:

The BOD is for all federal civilian agencies, "however, all organizations should adopt this directive and prioritize mitigating vulnerabilities listed on our public catalog," Easterly said in a tweet. The listed vulnerabilities can be found in federal networks, as well as private.

CISA will continue to add vulnerabilities to its catalog as long as they meet the agency's thresholds. The vulnerabilities have to:

Have an assigned common vulnerabilities and exposures (CVE) identification
Have evidence bad actors are actively exploiting a vulnerability
Have already issued an update for the vulnerability

The catalog removes focus from vulnerabilities that only "carry a specific CVSS score," the agency said. The BOD changes CISA's existing vulnerability management strategy by targeting the bugs known to have active exploits.

The catalog stands as a reference guide for public and private organizations to "establish a more aggressive turnaround time to protect their networks against urgent, active threats," CISA said. Companies can sign up for notifications to know when new CVEs have been added.

September research from SpiderLabs found that more than half of servers have weak security postures, despite available patches. High-profile vulnerabilities on internet-facing services, including Microsoft Exchange Server, Apache Tomcat, QNAP NAS and VMware vCenter had minimal security improvements after weeks of the remediation being published by the vendors.

When CVEs are dated back to 2017, it indicates companies have a difficult time locating the instances. And in some cases, security teams may not have the authority to issue updates for business-critical tools that could cause a disruption or take tools offline for a period.

Bad actors rely on common CVEs because it can help obscure attribution, and in 2021 the most common CVEs were found in Microsoft Exchange, Pulse Secure, Accellion, VMware and Fortinet.

CISA is giving federal agencies until Nov. 17 to issue vendor updates for Accellion CVEs, which are mentioned in the catalog four times. Microsoft Exchange-related vulnerabilities are listed nine times, with update due dates ranging from Nov. 17 to May 3, 2022.