List of vulnerabilities that MSSPs must fix for US government agencies: growing?

The Department of Homeland Security’s Cybersecurity Unit recently added 95 actively exploited bugs to its catalog of known exploited vulnerabilities compiled last year and ordered federal agencies to apply patches to cover the bugs.

The order is particularly timely given ongoing concerns over Russia’s invasion of Ukraine and heightened cybersecurity risks associated with the conflict.

This is the latest order and the largest number of vulnerabilities added to the registry since the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare binding operational directive (BOD-21) directing federal agencies to immediately patch hundreds known hardware and software vulnerabilities that have already been exploited. by threat actors to attack government networks and systems. More than 475 vulnerabilities are now listed in the catalog.

Since 2015, DHS and CISA have only issued 10 BODs for urgent issues, two of which were later revoked and replaced.

(To note: To view newly added vulnerabilities in the catalog, click the arrow in the “Date added to catalog” column, which will sort by descending dates.)

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” CISA said of the new listings. Although BOD 22-01 only applies to federal agencies, CISA said it “strongly urges” all organizations to prioritize the “timely remediation” of vulnerabilities in the catalog. CISA said it will continue to add vulnerabilities to the catalog that meet the specified criteria.

The order has multiple implications for managed security service providers (MSSPs):

  • MSSPs that proactively patched government systems before the order arrived could potentially solidify their reputations within and among US government agencies.
  • Government-focused MSSPs lagging behind in the remediation effort may find themselves scrambling to close agency vulnerabilities.
  • MSSPs looking to enter the US government market or expand their vertical market footprint can offer vulnerability assessment and patch management services to win business.

The latest entries in the CISA catalog of known exploited vulnerabilities mainly concern products from Microsoft (Windows, Office), Cisco and other big names. Of the newly added bugs, 38 are related to Cisco vulnerabilities, 27 to Microsoft, 16 to Adobe and seven to Oracle. Three of the vulnerabilities – CVE-2022-20699, CVE-2022-20700 and CVE-2022-20708 – are rated 10 out of 10 on the CVSS rating scale.

The deadline for federal agencies to apply fixes for most bugs is March 24, but for 27 of the most dangerous, the deadline is March 17.

Meanwhile, the National Security Agency (NSA) has released a new set of network infrastructure security guidelines and best practices for network administrators. “Guidance for securing networks continues to evolve as new vulnerabilities are exploited by adversaries, new security features are implemented, and new methods of securing devices are identified,” the report said. “The role of an administrator is critical in securing the network against adversarial techniques and requires dedicated people to secure devices, applications, and information on the network.”

The report provides advice on network infrastructure and design; security maintenance; authentication; Passwords ; remote logging and monitoring; remote administration; routing; interface ports and notification banners. The report is intended to help administrators prevent an adversary from exploiting their network.

Ashley C. Reynolds