The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading.

Many of the vulnerabilities in the report are not new. Instead, the report underscores a new level of awareness regarding how severe they are. Another important point to note is that these are not theoretical; they’re routinely abused by bad actors.

This article will explore what this report means for organizations and why the vulnerabilities mentioned are so relevant. Plus, see how you can effectively prioritize them.

The CISA Report: What’s at Stake?

In a recent release, CISA Director Jen Easterly highlighted the report’s findings.

“These vulnerabilities pose an unacceptable risk to federal network security,” she said. “We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

According to CISA, the vulnerabilities themselves take the form of a server-side template injection. It can cause remote code execution, escalate privileges to ‘root’ and allow threat actors to obtain admin access without the need to authenticate.

As a result, businesses need to be aware of these issues. It’s critical to take the right steps to protect against them. Make sure your teams are aware of and prepared for these threats.

Best Practices for Addressing the Challenges

To understand the best way to handle the vulnerabilities in the report, it’s important to acknowledge the most common weaknesses businesses face today.

According to the NSA, these are:

  • Failing to enforce multi-factor authentication
  • Applying privileges or permissions poorly
  • Errors within access control lists
  • Failing to keep software up to date.

So, what can you do to mitigate these weaknesses and build more effective defenses against security vulnerabilities? NSA recommends starting with mitigations that control access, harden credentials and establish centralized log management.

This strategy requires close teamwork between multiple elements of your business.

Rallying Your Team Around Weak Points

As a general rule of thumb, make sure your teams are aware of weak points and the steps they must take to mitigate them.

Most of the time, it helps to hold regular meetings and training to ensure everyone is up to date. These can minimize or remove confusion. Encourage questions from all stakeholders, and distribute resources to help everyone stay educated and aware.

Building a Non-Alarmist Business Case for More Support

Building effective defense isn’t just a job for security teams. It’s an all-hands effort that never exists in a vacuum and impacts everyone to some degree. One of the key duties of security leaders is gaining support from decision-makers and stakeholders. Without them, you can’t obtain the resources and backing to do the best job possible.

As a result, you’ll need to build a compelling business case for more support.

Here’s how:

  • Clearly link security projects to business outcomes. Demonstrate how greater investment in security benefits the business from a financial perspective. Highlight how failing to put digital defense can be costly.

  • Don’t use overly technical language. Speak in plain English wherever possible, and be prepared to clarify or explain certain points if needed.

  • Use hard data as much as possible. Again, link back to relevant business metrics. Show how increased security support can impact things like return on investment in concrete terms.

  • Avoid being overly alarmist or negative. Instead of presenting security solely as a way to avoid disaster, frame it positively as a means to increase the value of the business and enable more productive work.

Use the Right Security Tools

The good news is that there are a wealth of tools to help combat the threats in the CISA report.

Companies can use tools to assess vulnerabilities and help choose which ones to patch first. This allows you to take a more structured and evidence-based approach, helping you focus your efforts and resources where they’re most needed for maximum effect.

Here are some of the tools you can use to stay on top of threats, prioritize well and defend against them before they happen:

  • Endpoint Detection and Response — gathers info across a wide range of endpoints to maintain insight into threats

  • SIEM — collects and analyzes events and works with other data sources to help detect threats and manage incidents

  • Network Detection and Response (NDR) — monitors entire networks and uses data analytics and machine learning to detect and deal with threats

  • SOAR — a suite of different tools, all aimed at learning more about threats and responding without the need for human control.

A Mix of Solutions

Using the right mix of tools and knowing how to use them with maximum efficiency is essential if you want to stay on top of vulnerabilities and keep your organization secure. The right tools allow you to prioritize threats so you can concentrate on the most serious sources of danger without spreading your resources too thin.

As a result, it’s essential to have a good command of all your different tools that empower you to easily identify threats and prioritize and respond quickly and accurately.

More from Government

How the US Government is Fighting Back Against Ransomware

As ransomware-related payments surged toward $600 million in the first half of 2021, the U.S. government knew it needed to do more to fight back against cyber criminals. For many years, the Treasury's Office of Foreign Assets Control (OFAC) had a Specially Designated Nationals and Blocked Persons List (SDN List for people or organizations acting against the national security, foreign policy and sanctions policy objectives of the United States). But since 2021, the U.S. Department of Justice (DOJ) has upped…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…

The Cost of a Data Breach for Government Agencies

What happens when attackers breach local government, police departments or public health services? What would happen if attackers compromised the U.S. Treasury’s network? These types of incidents happen every month and lead to service interruptions at the very least. More serious problems could occur, such as leakage of classified data or damage to critical infrastructure. What about the cost of a data breach for government agencies? According to the most recent IBM Cost of a Data Breach report, each public…

How Cybersecurity Policy Has Changed Since the SolarWinds Attack

Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last few years? The Wake-Up Call President Joe Biden issued two executive orders last year on cybersecurity,  one called Improving the Nation’s Cybersecurity and the other…