CISA sees vulnerability remediation progress

An effort led by the Cybersecurity and Infrastructure Security Agency (CISA) to reduce the number of vulnerabilities in IT environments spanning more than 3,500 organizations has been able to, on average, reduce by nearly 20% the number of known exploited vulnerabilities (KEVs).

CISA provides organizations with a scanning service that continuously assesses the health of internet-accessible assets by checking for known vulnerabilities, weak configurations, configuration errors, and suboptimal security practices. The service also recommends enhancing security by implementing modern web and email standards.

In total, there are now 5,900 organizations taking advantage of the service. The 3,500 organizations CISA helped reduce vulnerabilities have participated in the program before April 1, 2022.

On average, CISA noted that newly enrolled organizations decreased their vulnerability exposure by 20% within the first three months of vulnerability scanning. 

While that reduction represents progress, CISA is making it clear that much more work must be done. The agency plans to add additional services to make it simpler to access the services and enhance its ability to track the cybersecurity progress organizations are making.

While there are hundreds of thousands of vulnerabilities, cybercriminals tend to focus on a handful in widely used platforms. CISA last summer along with the National Security Agency (NSA),  Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), Computer Emergency Response Team New Zealand (CERT NZ) and the National Cyber Security Centre in the United Kingdom (NCSC-UK) shared a list of the top 10 most commonly exploited vulnerabilities that organizations should remediate.

In the long term, however, there is concern that cybercriminals will use artificial intelligence (AI) to exploit a much wider range of vulnerabilities. Cybercriminals actively monitor vulnerability disclosures but mostly focus their efforts on a narrow range that is simple to exploit. AI, however, is likely to make it easier for cybercriminals to exploit a much wider range of vulnerabilities by, for example, automatically generating code. Despite guardrails that have been put in place, hackers have found ways to “jailbreak” the large language models (LLMs) used to provide generative AI capabilities. More infamously, WormGPT provides cybercriminals with access to an LLM specifically trained to help cybercriminals develop malicious code.

If real progress is to be made, it’s clear that organizations will first need to remediate existing vulnerabilities more aggressively while at the same time reducing the number of new ones that might be introduced as new applications are deployed. In theory, at least, providers of applications are embracing best DevSecOps practices to reduce the number of vulnerabilities finding their way into applications, but it might be years before those efforts have a material impact on the current state of cybersecurity.

Of course, cybersecurity teams generally lack the authority needed to update applications. IT professionals are concerned that applying patches to applications to remediate a vulnerability will inadvertently break the application. That’s undoubtedly a risk. However, compared to the risk many vulnerabilities represent to the business, enabling cybersecurity teams to apply patches to remediate vulnerabilities automatically has become the lesser of two evils.