It can be a little frustrating to see guidance from CISA that should have already been in place in the private sector, as it feels like a no-brainer. But hey, in this case, “better late than never” rings true over “too little, too late.” Read ahead for our thoughts on CISA’s latest Binding Operational Directive of Known Exploited Vulnerabilities, fixing legacy applications, and ransomware gang forum drama.
Why in the world did it take this long for such obvious guidance? It’s obvious that organizations should prioritize fighting active threats (burning fires) vs. closing potential threats (clearing flammable material that’s not already burning). This directive provides that explicit guidance: high criticality vulnerabilities which are not being actively exploited should not take precedence over vulnerabilities that are actively being exploited. Coming up with one-size-fits-all guidance on the criticality of vulnerabilities is difficult, and while this guidance is binding only on a limited number of organizations (mainly critical infrastructure providers), it is highly recommended as a standard for all organizations’ patch and vulnerability management programs.
Legacy, monolithic applications suffer from several issues — one of which is the inability of developers to spot and fix security flaws. The time and complexity involved make it almost infeasible to perform adequate security testing, but attackers don’t have the same constraints. Modern applications are built in a modular fashion (e.g., separate calendar, contact, and mail applications that intercommunicate via APIs) and can offer benefits via reduced code complexity. This makes it easier to perform security testing and hopefully find and fix vulnerabilities before the bad guys do.
The drama created by REvil’s decision was entirely predictable. Ransomware has increasingly matured into a complex business with customers, vendors, and an interconnected supply chain. REvil’s actions created a disruption just like a legitimate business might encounter if they could not get support for a vital product from one of their suppliers; given the amounts of money at play, a high-quality, well-supported, and reliable product is essential.
If you enjoyed this post be sure to check our blog weekly; the Risk Roundup runs Friday mornings in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk), LinkedIn (Coalition Inc), and Youtube. If you have any suggestions for content that we should be adding to our reading list, let us know!