The National Cyber Security Centre (NCSC) has issued a joint advisory with international partners to raise awareness of the most commonly exploited cyber vulnerabilities of 2021. The warning comes after a year which has seen a sharp increase in the volume and aggressiveness of cyber-attacks.
The advisory lists the top 15 critical software weaknesses, which are being targeted by sophisticated cyber criminals across the globe. The NCSC has collaborated with agencies in the US, Australia, Canada and New Zealand to produce and publish the information, which is intended for both public and private sector organisations.
Lindy Cameron, NCSC CEO, said: “The NCSC and our allies are committed to raising awareness of vulnerabilities and presenting actionable solutions to mitigate them. This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses in the public and private sector ecosystem.”
She added: “Working with our international partners, we will continue to raise awareness of the threats posed by those who seek to harm us.”
Malicious actors routinely target new vulnerability disclosures, in the hope of making an attack before an organisation has had time to apply patching updates. They also target internet-facing IT systems such as email and virtual private network servers. Even vulnerabilities that have been in the public domain for over a year are still targeted as well.
The rise in the number of serious cyber attacks has led the NCSC to urge all organisations that have IT systems, and sensitive data that needs to be kept secure, to put a vulnerability management process in place. Even if a business just holds staff details, these need to be protected to the best extent that is possible.
The advice includes performing a vulnerability assessment on a monthly basis, and using automated assessment systems. The system should be tested externally, via the internet, and internally, if this is relevant. Once complete, the flagged issues should be triaged for severity, taking into account the specific risk each poses to the business.
All the issues which can be fixed with a patch, re-configuration or migration should be attended to at once. Any other issues should be acknowledged and/or investigated, with clear timescales, or valid reasons for the delay. Any service that is directly accessible via the internet should be fixed ASAP.
Rob Joyce, National Security Agency (NSA) Cybersecurity Director said: “This report should be a reminder to organisations that bad actors don’t need to develop sophisticated tools when they can just exploit publicly known vulnerabilities.”
He added: “Getting a handle on patch management will go a long way in forcing adversaries to spend a lot more resources to even try and get in to targeted networks.”
Finally, it is recommended that IT managers make a report of all vulnerabilities identified and acted on each month. This helps to demonstrate how well the IT estate is being managed, and also helps decide how resources and funds might best be deployed in the future.
If you are looking for small business IT support in London, talk to us today.