OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

Perspectives

CISA known exploited vulnerabilities - what do they mean for your organization?

Recently, CISA added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog. This is much more than they usually add in one batch - and organizations need to have the right processes in place to meet the new challenges. Here's what it means.

Rhett | March 10, 2022

Recently, CISA added 95 new vulnerabilities to its Known Exploited Vulnerabilities Catalog. The catalog is a living list of known CVEs that represent significant risk to federal enterprises, and is regularly updated. 

But while new vulnerabilities are added constantly, it’s unusual for CISA to add more than a handful to their catalog at a time, so the addition of nearly 100 at once is noteworthy. For context, the next-largest batch of vulnerabilities contained just 15 CVEs. While most of the vulnerabilities in this new list are recent, the oldest in this batch (CVE-2002-0367) dates to 2002, and many of the others are over five years old.

CISA has their own criteria for adding specific vulnerabilities to their catalog, and usually only adds a few at a time. But given the conflict in Ukraine, these additions could be part of an effort to prevent potential cyber attacks targeting U.S. organizations covered by CISA directives.

But if you have prioritization processes in place, making sense of this list is more straightforward, and you can take swift action to mitigate the risk. Organizations that are prioritizing based on business-specific risk, and have well-established processes and automations to do this, will be able to address these new vulnerabilities just as efficiently as they do others, regardless of the number of CVEs they are suddenly faced with. 

Knowing which of the new vulnerabilities in CISA’s catalog might harm your business, and which ones pose little or no threat, makes the scary-sounding number of 95 much more palatable. These new additions only serve to prove that prioritization based around business risk is integral to improving and maintaining security posture.

Better prioritization takes work, and most organizations struggle with exactly this. But with tools like the Vulcan Cyber risk management platform, companies can leverage their existing data to see clearly their most vulnerable assets, and the recommendations, actions and collaborations needed to mitigate that risk. Book a demo today to get started.