2022’s Tsunami of Unauthenticated Software Vulnerabilities
The Rapid Rise of Threats Today
The Enterprise Attack surface is under siege. Over the past 12 months, common enterprise software platforms including Microsoft Exchange, SAP, and any modern software platform utilizing common Java Logging frameworks have been exposed to critical severity software vulnerabilities which can be exploited to remotely control systems and exfiltrate data without any need for credentials or successful authentication. In the first few weeks of 2022 alone, an unprecedented number of vulnerabilities were reported, many with recommendations for immediate remediation. When these vulnerabilities are announced, they have enterprise security and platform teams scrambling to assess the extent of enterprise exposure and patch, patch, patch. Because the vulnerabilities being announced are increasingly exploitable by unauthenticated attackers, they bypass IAM level controls and therefore expose a huge attack surface.
SAP, Siemens, and Schneider Electric are the most recent companies to join the ranks of Microsoft, Apple, Apache, and Jenkins to have uncovered press worthy vulnerabilities, with CISA adding over 15 new CVEs to their list in the past week alone. The major concern is that many of the current CVEs released—which are being rapidly exploited by threat actors—have the ability to quickly elevate privileges to access business processes, users, and information that allows attackers to unleash serious malicious activity. By bypassing authentication mechanisms, these vulnerabilities are difficult to mitigate and enterprise teams are being overwhelmed by the need to assess exposure across large, complex, poorly understood IT estates and apply software patches under emergency conditions. Incident response fatigue is setting in.
For example, the most recent SAP vulnerability, CVE-2022-22536, can quickly cause SAP servers without authentication to expose critical information / data by using malformed packets. Immediate remediation, as in many cases of the current rash of vulnerabilities, is requested, causing massive strain on already overstretched IT and security teams, especially since this is coming hot on the heels of the Log4shell incident which caused so much disruption from late December through January.
In addition, when reviewing the most recent releases of CVEs vs. recent documented hacks and attacks, we are seeing a resurgence of older vulnerabilities being exploited on new targets, such as IOT systems. Traditionally, IOT systems are not, from a resilience perspective, as hardened as their traditional IT counterparts, even though they offer a poorly protected vector back into the enterprise.
The result of this rash of new year CVEs is causing a heightened awareness of both Operational and Cyber risk for all organizations, not just for those within the large enterprise and public sectors which traditionally have borne the brunt of necessary cyber defense. This past week, CISA called for all organizations to adopt a heightened cyber posture and focus on protection of critical assets.
Resiliency – A Call to Action
The acceleration of programs like Zero Trust, and dynamic cyber hygiene, or in other words actionable observability, are now crucial when trying to achieve the level of resilience CISA recommends. Application Relationship Management (ARM) helps to provide the visibility that is crucial when creating the foundation for the mitigating controls detailed out in the recommendations. These controls provide organizations with a level of protection proactively, and provide a set of tools that allow the organization to recover more effectively. The new CISA recommendations include four areas of action:
- Reduce the likelihood of a damaging cyber intrusion
- Take steps to quickly detect a potential intrusion
- Ensure that the organization is prepared to respond if an intrusion occurs
- Maximize the organization’s resilience to a destructive cyber incident
In reviewing all four areas of action, the need for Application Relationship Management to enable and enhance a strong Zero Trust strategy and incident response plan is crucial. In addition, leveraging ARM to facilitate recommended hygiene actions—such as ensuring all ports and protocols that are not essential for business purposes have been disabled, and validating that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication–is critical. Having dynamic visibility and a clear understanding of relationships between users and the data / applications within their environments is key to the success of these recommendations. In addition, for high severity vulnerabilities which can be exploited by an unauthenticated attacker, there are 2 critical requirements:
- Reduce the attack surface exposed by Critical Business Services. A Zero Trust Network Access (ZTNA) solution reduces communication access to systems which mitigates the risk of exploitation laterally or from external sources. ZTNA erects a barrier around important assets so that critical vulnerabilities cannot be exploited regardless of whether credentials are required, have already been stolen, or not.
- Scoping your Critical Business Services and their dependencies. In order to apply Zero Trust principle to Critical Service protection, you need to understand the scope of the system and its dependencies. This can be a challenge in complex, highly interconnected environments and therefore needs to be automated. The good news is that this level of accurate information can also help you detect when new communications are attempted, which could be indicative of attempts at exploitation and lateral movement. This information is also critical in order to return to ‘known good’ after an incident.
The new CISA Shields Up recommendations, resulting from the tsunami of CVEs and current heightened threat landscape, is a clear call for all organizations–both public and private–to take immediate steps to implement a strong Application Relationship Management program to achieve the cyber maturity / resiliency recommended. Lack of understanding of relationships within environments will enable attackers to exploit the CVEs that are becoming untenable for already overtaxed teams to handle. The actionable observability and visibility achieved by Application Relationship Management will give organizations the ability to quickly understand and action the impact of CVEs against their environment, while in tandem, implement the recommendations from CISA to achieve a stronger long term resiliency stance.