Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits

$
0
0

Check out the CVEs attackers targeted the most last year, along with mitigation tips. Plus, a new guide says AI system audits must go beyond check-box compliance. Meanwhile, a report foresees stronger AI use by defenders and hackers in 2025. And get the latest on cloud security, SMBs' MFA use and the CIS Benchmarks.

Dive into six things that are top of mind for the week ending Nov. 15.

1 - Report ranks 2023’s most frequently exploited vulnerabilities

Wondering what were attackers’ preferred vulnerabilities last year? Cyber agencies from the Five Eyes countries have ranked these go-to bugs in a joint advisory titled “2023 Top Routinely Exploited Vulnerabilities.

Published this week, the advisory details the 47 Common Vulnerabilities and Exposures (CVEs) that attackers most often exploited in 2023, along with their associated Common Weakness Enumerations (CWEs).

The advisory also offers prevention and mitigation recommendations both to end-user organizations, and to software vendors and developers.

A key takeaway: the majority of the CVEs listed were initially exploited as zero-days, unlike in 2022, when fewer than half were. In addition, the report found that attackers typically strike gold with vulnerabilities that are less than two years old.

Matrix of numbers and letters spelling out cyber attack, data breach and other cybersecurity issues


Here are some of the recommendations from the authoring cyber agencies in Australia, Canada, New Zealand, the U.K. and the U.S. for end-user organizations:

  • Update software, including operating systems, applications and firmware, and prioritize patching CVEs included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those listed in the report. 
  • Maintain a continuously updated inventory of all your assets – both hardware and software, and on-prem and in the cloud. 
  • Deploy an automated, centralized patch-management system and adopt a patch-management process.
  • Document the secure baseline configurations for all IT/OT systems.
  • Require phishing-resistant multi-factor authentication for all users and on all VPN connections.
  • Adopt the principle of least privilege when configuring access control.
  • Secure internet-facing devices.
  • Monitor your attack surface continuously.
  • Contractually require your software vendors to provide you with software bills of materials (SBOMs) for their products, and inquire whether they employ secure-by-design principles.

The five CVEs atop the list are:

To get all the details, read the full advisory “2023 Top Routinely Exploited Vulnerabilities.

For more information about vulnerability management, check out these Tenable resources:

2 - CSA: AI systems require holistic audits

When it comes to auditing artificial intelligence (AI) systems, auditors need to go beyond basic regulatory compliance requirements, and instead aim to assess their trustworthiness in a holistic, comprehensive manner.

That’s the main message in the Cloud Security Alliance’s new report “Artificial Intelligence (AI) Risk Management: Thinking Beyond Regulatory Boundaries,” which was published this week and offers a risk-based framework for auditing AI systems throughout their lifecycle.

While it’s critical for AI audits to be accurate, “trust in AI can only be achieved through a far-reaching approach to auditing that goes beyond what’s required,” researcher Ryan Gifford, a leader in the CSA’s AI Governance & Compliance Working Group, said in a statement.

Cover page of CSA report "AI Risk Management"


The paper addresses a wide range of AI audit elements, including AI governance; the role of data and sensors; applicable laws, regulations and standards; data and privacy; algorithms, training methods and models; and security systems – to name just a few.

The 101-page document also includes hundreds of suggested questions to include in an AI audit, covering 25 topics. 

For example, the paper suggests 19 questions to ask about AI security systems, organized into seven sub-categories, including authentication and access control; data sanitization; encryption and key management; and security monitoring.

These are just a few of the questions in the AI security systems section:

  • How are security vulnerabilities actively identified and mitigated in software and hardware components? Through regular updates and patching?
  • How is security data from multiple sources integrated and analyzed to provide a centralized platform for threat detection, incident response, and comprehensive security monitoring?
  • How is the legitimacy of people and system accounts requesting access confirmed?
  • Which authentication methods are used to ensure that only authorized entities gain access?

For more information about AI system audits:

3 - Google: Attackers will deepen AI use in 2025

Expect the AI cyberwars to get nastier and more sophisticated next year.

In 2025, hackers will double down on their use of AI to boost their cyberattacks, while security teams will further leverage AI security tools to improve their cyberdefenses.

That’s one of the main takeaways from Google Cloud’s “Cybersecurity Forecast 2025” report, released this week.

“While AI is rapidly bringing new tools for threat detection and response, it also provides malicious actors with powerful capabilities for social engineering, disinformation, and other attacks,” reads the report.
 

Cube with the letters AI to represent Artificial Intelligence


Here are some ways in which Google Cloud expects cyberattackers to more aggressively employ generative AI tools, LLMs, deepfakes and other AI technologies in 2025:

  • To further scale and enhance social engineering attacks, including phishing and vishing
  • To supercharge cybercrime and cyberespionage 
  • To research vulnerabilities they can exploit
  • To streamline and accelerate development of malicious code
  • To rapidly create content for disinformation campaigns

“As AI capabilities become more widely available throughout 2025, enterprises will increasingly struggle to defend themselves against these more frequent and effective compromises,” the report reads.

By the same token, cybersecurity teams will move into what the report calls “a second phase” of AI use. During the first phase, defenders used AI tools for repetitive tasks, such as summarizing reports and querying data sets. In 2025, cybersecurity teams will extend their AI use towards “semi-autonomous” security operations.

“This includes being able to parse through alerts - even with false positives - to create a list of the highest priority items, enabling security teams to further triage and remediate the risks that matter most,” the report reads.

However, the output of these AI security operations will still need to be verified by a security professional.

The report also looks at how trends like geopolitical cyberthreats, ransomware and infostealer malware are likely to develop in 2025.

For more information about cloud security trends:

4 - Tenable poll looks at cloud security practices

During our recent webinar “Empower Your 2025 Cloud Security Planning with Tenable's Data Insights,” we informally polled attendees about cloud security issues, such as workloads afflicted by the “toxic trilogy” of cloud risks. Check out the results!

Pie chart showing a majority of people polled don't know how many workloads are publicly exposed, critically vulnerable, and highly privileged

(51 webinar attendees polled by Tenable, November 2024)

Pie chart showing a majority of people polled enforced least privilege on cloud workload identities

(39 webinar attendees polled by Tenable, November 2024)

Check out this on-demand webinar for a discussion of the valuable insights in the new “Tenable Cloud Risk Report 2024,” including concrete recommendations for improving your organization’s cloud security.

5 - Report: MFA widely underused, misunderstood by SMBs

A majority of small and medium-sized businesses (SMBs) surveyed about multi-factor authentication (MFA) haven’t adopted this identity and access management (IAM) technology and ignore its security benefits.

That’s a key finding from a report based on a global survey of almost 2,300 SMBs conducted by the Cyber Readiness Institute (CRI) and published this week.

“MFA is no longer a luxury or optional security measure - it is a fundamental necessity in today’s digital landscape. The time for SMBs to act is now,” the report reads.

Specifically, 65% of SMBs polled said they haven’t implemented MFA, and most of them (61%) have no plans to adopt MFA in the foreseeable future.

Barriers to adoption include: 

  • the cost to acquire and deploy MFA tools
  • lack of technical expertise to choose the right product
  • lack of awareness about MFA's benefits

A bright spot for MFA adoption is the U.S., where SMBs buck the global trend, with 89% of respondents saying they’ve adopted the technology, and 55% saying they’re “very aware” of MFA and its benefits.

The following best describes the level of awareness you have of MFA and the related security benefits at your company

bar graph showing global adoption of multi-factor authentication (MFA) as low compared to the USA

So what can be done to promote MFA adoption among SMBs? Here are some recommendations from the report:

  • Government agencies, industry groups, non-profit organizations and cybersecurity vendors should collaborate on campaigns to educate SMBs about the benefits of MFA.
  • Software vendors should include MFA capabilities as part of broader software packages at no additional cost. 
  • Governments should offer incentives to SMBs, such as tax breaks and subsidies, while larger businesses should reward their SMB partners that adopt MFA.
  • Vendors, government agencies and industry groups should offer SMBs technical assistance after they adopt MFA to ensure their continued success with the technology.

To get more details, read: 

6 - CIS Benchmarks for Apple, Azure, Oracle get updated

The Center for Internet Security (CIS) just announced the latest updates to its CIS Benchmarks, including the ones for Azure Kubernetes Service (AKS), Oracle Cloud Infrastructure for Kubernetes (OKE) and several versions of Apple's macOS.

Specifically, these CIS Benchmarks were updated in October:

In addition, these three new CIS Benchmarks were released:

 

CIS Benchmarks logo from the Center for Internet Security

 

The CIS Benchmarks’ secure-configuration guidelines are designed to help security teams harden software against attacks. There are currently more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks November 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:


Viewing all articles
Browse latest Browse all 1935

Trending Articles