Science & Technology

CISA creates vulnerability catalog to improve federal agencies’ cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency today issued a binding operational directive that tackles vulnerabilities in federal agencies’ information technology systems.

The directive has two main elements. First, CISA has created a catalog of more than 300 vulnerabilities that are being actively used by hackers to launch cyberattacks. Second, officials are instructing civilian federal agencies to quickly patch any of their systems that contain vulnerabilities listed in the catalog. Security flaws that were discovered this year must be patched by November 17, while issues reported earlier must be resolved by May 3, 2022 at the latest.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” said CISA Director Jen Easterly in a statement.

CISA officials explained some of the context behind the new database in a fact sheet. Researchers indicate the severity of cybersecurity vulnerabilities they discover using a standard known as the Common Vulnerability Scoring System. Severity is measured on a scale of 0.1 to 10 and the highest ranked vulnerabilities, with a score of 9 or more, are designated “critical.” CISA said that more than 18,000 vulnerabilities were discovered in 2020 alone, including over 10,000 deemed critical.

But cybersecurity issues with a high severity score aren’t always the ones that pose the biggest risk of a data breach. “Attackers do not rely only on “critical” vulnerabilities to achieve their goals,” CISA pointed out. There are examples of hackers combining multiple, lower severity vulnerabilities to carry out cyberattacks. 

The vulnerability catalog CISA has launched as part of its newly issued directive aims to help federal agencies more effectively address cybersecurity issues in their systems. Instead of containing only vulnerabilities rated critical, the catalog also includes flaws that have a lower severity score but are known to be actively exploited by hackers.

“These vulnerabilities pose significant risk to agencies and the federal enterprise. It is essential to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents,” CISA stated in the directive. 

“While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog,” said Easterly.

Currently, the catalog includes more than 300 vulnerabilities affecting products from IBM Corp., Oracle Corp., Google LLC, Apple Inc. and many other companies. Some of the flaws were originally discovered as early as 2010, while others are from this year. The directive instructing civilian federal agencies to fix the vulnerabilities applies to “all software and hardware found on federal information systems”, CISA said, whether they run on-premises or are hosted by third parties on an agency’s behalf.

Image: CISA

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *