There are currently 925 known exploited vulnerabilities on Cybersecurity and Infrastructure Security Agency's KEV catalog, making it an excellent resource for identifying potential threats. With 156 vendors included, it's important to stay vigilant and prioritize remediation of vulnerabilities that have been identified as exploited to keep systems secure. Microsoft is the leading vendor with over 258 vulnerabilities, underscoring the importance of staying on top of Patch Tuesday updates. However, it's also important to recognize that just because a vulnerability has been exploited doesn't mean it's currently being targeted. To determine what vulnerabilities should be prioritized for remediation, it's critical to gain additional context beyond the #KEV. This includes vulnerability enrichment through sources such as #EPSS and Mandiant (now part of Google Cloud) and asset context, so you can make a risk-based decision on what vulnerabilities to fix first. At Nucleus Security, we understand the importance of assessing vulnerability risk at scale. That's why our platform automates the aggregation and correlation of asset and vulnerability data, making it easier for organizations to make informed decisions about their cybersecurity posture. #infosecurity #cybersecurity #security #microsoft #datasecurity
For those that asked about the top MSFT Vulnerabilities, here is the Top 10 list. https://www.linkedin.com/posts/patrickmgarrity_kev-windows-exploitation-activity-7061181814232551424-2ki0?utm_source=share&utm_medium=member_desktop
Check out a preview of an interactive version im building with vendors and products included: https://www.linkedin.com/posts/patrickmgarrity_cisa-kev-macos-activity-7061462094746972160-VnhD?utm_source=share&utm_medium=member_ios
What I miss is the number of products VS. Number of exploits per product. In my opinion a company only having less products but many exploits should be rated with a higher risk than a company with mich more products and equal exploits. For example google VS. Apple. Comparing the number of product Google/alphabet owns incl. Their cloud Portfolio, apple with lesser products has a much higher risk indicator. Not only quantity counts here. Another example with Microsoft who has a few hundred products and "only" 258 exploits. That means, if e.g. Windows has 10 exploits, there are other services and products which have no exploits. Only my 2 Cents.
There is a bit of undeniable irony to the fact that the most prevalent vendor on the KEV also has ~15 Billion in Cybersecurity revenue. On one hand it is obvious that the most pervasive vendors/software in the world will gain the most attention from malicious actors, but I do wonder where we draw the line with that. It is very unique situation to be one of the largest cybersecurity vendors in the world and also one of the most vulnerable and exploited. As one article I saw said, Microsoft can't be both the fireman and the arsonist.
What about vulns-per-line-of-code? In all fairness MS has more products than the others. Office, Windows, SQL Server, Azure Cloud, Xbox, Dot Net. Cisco makes routers and switches and that’s all they’ve done since ‘84. Adobe makes PDF readers and good design software, but for those 2 suites they have that many vulns? I’d like to know more about the count rules too. Moderate vulns, difficult to exploit vulns, etc? Oh and survivor bias—are they evaluating less-popular Apache products like CloudStack with the same level of scrutiny? And I don’t see AWS on there which is a bit sus due to the sheer size and feature scope they have
What's to identify the "unknown-never-berfore-been seen" vulnerabilities?
As our CEO (Steve Guilford - AsterionDB) likes to point out, the REAL Achilles Heal preventing the achievement of real data security is, in fact, the Microsoft File System...where unstructured data is network accessible, even by a Network Administrator, as events of last month demonstrated. Solution - Move unstructured data to higher level security of DB, where structured data has been protected for decades and where access is far more structurally restricted. Comments?
This is simply painful as firms like Microsoft with a number of vulnerabilities in the wild are also enabling mass scale intrusion vectors with AI. Examining vulnerabilities and identifying exploitation processes is becoming automated in a way that these patch and remediation lists are going to be turned into victimization lists in almost real-time.
Cybersecurity/Vulnerability Researcher
1yOur KEV enrichment dashboard is available here for free if you’re interested in the data: https://nucleussec.com/cisa-kev/