The National Security Administration (NSA) recently published a list of 25 vulnerabilities that Chinese security services rely on to penetrate corporate networks in the United States.
The vulnerabilities published in late October are not new. The list contained no surprises –absolutely zero – to anyone paying close attention. But that doesn’t mean it isn’t possible to draw some important lessons. By taking a broader look at these vulnerabilities, we get some good insight into the general tactics of state-backed hackers, the conditions of corporate security programs, and what companies can do to sharpen up their patching operations.
The vulnerabilities on the NSA’s list have the following common elements that point to the tactics of these state-backed attackers:
- Remote code execution. Nearly all of the vulnerabilities allowed remote code execution. This isn’t destructive, it’s information gathering or access to internal systems that the attackers are looking for.
- Established exploits. For nearly all of the vulnerabilities on the list, exploits are publicly-available. In most cases, exploits for these vulnerabilities were developed and released more than six months ago. The list even includes an Oracle Weblogic vulnerability from 2015.
- Available on the internet. The vulnerabilities target applications or services that are publicly-available on the internet from anywhere in the world.
- Patches are available for all of them. Of the 25 vulnerabilities, all of them have patches available and many of them have had patches for years.
The reliance on these existing vulnerabilities paints a picture of a Chinese security operation that uses the same well-worn tactics that “low-skill” cybercriminals rely on for widespread operations.
At first glance, there’s a simple reason that well-known vulnerabilities and publicly-available exploits are successful. Companies face more vulnerabilities than they can realistically patch. On average, large corporations have the capacity and resources to patch just 10 percent of the vulnerabilities on their systems.
But that statistic doesn’t tell the whole story. Just 4 percent of vulnerabilities pose an actual risk to an organization. Security teams need to know which vulnerabilities to patch first.
Many companies tend to use the Common Vulnerabilities Scoring System (CVSS). Unfortunately, this system doesn’t predict the likelihood that a vulnerability gets exploited. It simply approximates the ease of exploit and the damage an exploit would do if it were exploited. Some vulnerabilities with high CVSS scores are never exploited. On the other hand, some low-scoring vulnerabilities are exploited because they help hackers achieve their goals.
For perspective, the vulnerabilities on the NSA’s list had an average CVSS score of 7.5. About 25 percent of CVSS scores are in that range or higher. Even if a company endeavored to close all of its vulnerabilities above that level, it likely could not make it happen.
With that in mind, the NSA alert offers a clear picture for how security teams should look at and patch vulnerabilities. By looking at the likelihood of exploitation, both in terms of the attack surface and whether there’s an actual exploit already developed, as well as the potential risk of a successful attack, security teams can better evaluate the risk. For the most part, these vulnerabilities share a number of characteristics in common which all point to them being dangerous security holes that organizations should patch as quickly as they can – if they haven’t done so already.
It’s a positive move for the NSA to issue an alert like this. New vulnerabilities are discovered each day, and security teams are in the unenviable position of trying to manage them all. Despite that, there are ways for enterprises to get ahead. The NSA alert shows us how.
Jerry Gamblin, manager of security and compliance, Kenna Security