The NSA ❤️ Risk-Based Vulnerability Management
Share with Your Network
Growing up I loved the Spy vs. Spy comic in MAD Magazine where one spy always tried to get an advantage over the other. One tactic neither spy used, though, was publishing a list of the attacks the other spy was likely to try, which is why I was both bemused and amused when the NSA published an in-depth list of vulnerabilities that Chinese state hackers (PDF) are using.
Right away, JCran, Kenna’s Head of Research, and I spent a few hours digging through the vulnerabilities listed in the PDF looking for what super l33t haxor zero days the Chinese MSS were using. It quickly became apparent that we were not going to get that information from this release. Instead, the NSA’s list of vulnerabilities goes to the heart of what Kenna talks about when we talk about implementing a risk-based vulnerability management (RBVM) program.
With the rare exception, every vulnerability on this list includes the following points:
A public exploit is available. Meaning that most skilled hackers can fire up their favorite dark web browser and find code to exploit the vulnerability freely on the internet.
The exploit allows remote code execution. These hackers aren’t interested in destructive or denial of service attacks. They are looking to gain control or run their own code on these devices—to take over the equipment.
The attack is internet based. This simply means that the target is freely available on the internet and can be attacked by anyone at any time from around the world.
There is a patch available. This is probably the most important point: the vulnerabilities that are being exploited have already had a public patch available from the software vendor.
While this was just a quick 10,000-foot view of these vulnerabilities, a great place to learn more about RBVM is the Prioritization to Prediction research report series that we publish with Cyentia Institute, or the open source EPSS framework that we contribute to.
And if you’re curious about your own Spy vs. Spy list of the Top 25 most likely vulnerabilities to be exploited on your own network, request a custom demo of Kenna’s modern vulnerability management solutions. You’ll get your own report in less than an hour. (Of course, whether you publish them publicly is up to you, though we don’t recommend it.)
