A recent joint cybersecurity advisory from U.S and allied cybersecurity authorities identified the top exploited vulnerabilities and exposures (CVEs) of last year. Out of the 15 vulnerabilities that made the list, which we’ve placed below, it is interesting to see 11 of the 15 are from 2021. There are 4 other vulnerabilities identified in 2020 and earlier that are routinely exploited – an obvious sign that organizations aren’t patching systems in a timely manner and remain exposed to those threats.

Within the advisory, it was noted that the speed and scale of malicious actors taking advantage of new vulnerabilities has increased. So it is of critical importance that organizations are taking action to address new vulnerabilities as soon as they are disclosed.

There may be reasons why organizations aren’t taking immediate action, but the risk acceptance leaves those organizations open to exploit.

Source: 2021 Top Routinely Exploited Vulnerabilities, https://www.cisa.gov/uscert/ncas/alerts/aa22-117a

In light of the new advisory, here are a few reminders of how you can reduce your organization’s cyber risk:

1. Make sure you are patching for known vulnerabilities. As NSA Cybersecurity Director Rob Joyce said, “bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities.”
2. You can’t identify new threats and vulnerabilities that could impact your organization with one-time assessments. You should be doing continuous attack surface assessments that help accurately discover and classify your IT assets.
3. To be effective, you must be able to reduce the noise. You don’t have time to weed through a list of threats and vulnerabilities that are not prioritized based on the likelihood of occurrence and impact to your specific organization.

If your organization needs help identifying any of the vulnerabilities on the list, please reach out to us for a free cyber risk assessment.