Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
International: NCSC and international agencies publish advisory on top vulnerabilities exploited by cyberattackers in 2023
On November 12, 2024, the UK National Cyber Security Centre (NCSC) announced that, alongside agencies in Australia, Canada, New Zealand, and the US, it had published a joint cybersecurity advisory on the top 15 vulnerabilities that were routinely exploited by cyberattackers in 2023.
What is covered in the advisory?
The advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Further, the advisory provides recommendations for vendors, designers, developers, and end-user organizations on how to reduce the risk of compromise by malicious cyber actors. According to the advisory, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high-priority targets.
For vendors, designers, and developers, the advisory recommends that they:
- implement Secure by Design and Default principles and tactics to reduce the prevalence of vulnerabilities in their software;
- follow the SP 800-218 Secure Software Development Framework (SSDF) and implement Secure by Design practices into each stage of the software development lifecycle (SDLC);
- establish a coordinated vulnerability disclosure program that includes processes to determine the root causes of discovered vulnerabilities;
- prioritize Secure by Design configurations, such as eliminating default passwords and not requiring additional configuration changes to enhance product security; and
- ensure that published CVEs include the proper CWE field, identifying the root cause of the vulnerability.
The advisory recommends that end user organizations should:
- apply timely patches to systems and check for signs of compromise before patching CVEs identified in the advisory that have not been patched;
- implement a centralized patch management system;
- use security tools such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers; and
- ask their software providers to discuss their Secure by Design program, provide links to information about how they are working to remove classes of vulnerabilities, and set secure default settings.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
