NCSC issues warning on cyber vulnerabilities

The National Cyber Security Centre (NCSC), in collaboration with agencies from the US, Australia, Canada, and New Zealand, released a joint advisory on the cyber vulnerabilities most exploited in 2022.

The report revealed that malicious cyber attackers had a greater inclination towards exploiting older software vulnerabilities rather than recently disclosed ones.

Interestingly, over half of the vulnerabilities listed for 2022 were also part of the 2021 list, underscoring that attackers repeatedly targeted known flaws in internet-facing systems, even when security patches were available.

The advisory detailed that attackers often found the most success in exploiting vulnerabilities within two years of their public revelation. They strategically aimed their exploits to achieve the maximum impact, emphasizing the necessity for organisations to implement security updates without delay. The advisory further shared technical details on an additional 30 vulnerabilities that were commonly exploited and offered mitigation advice to reduce risks.

UK’s NCSC Director of Resilience and Future Technology, Jonathon Ellison, stated, “Vulnerabilities are sadly part and parcel of our online world and we see threat actors continue to take advantage of these weaknesses to compromise systems. This joint advisory with our allies raises awareness of the most routinely exploited vulnerabilities in 2022 to help organisations identify where they might be at risk and take action.”

To reinforce cyber defences, Ellison encourages organisations to apply all available security updates promptly. Moreover, software vendors are urged to place security at the forefront of their product designs, shifting the responsibility from consumers. All UK organisations can enlist for the NCSC’s Early Warning service to receive timely alerts regarding potential network vulnerabilities.

Guidance for effective vulnerability management is available on the NCSC website, and software professionals are advised to adopt secure-by-design practices throughout the development process.

The comprehensive advisory was jointly issued by multiple global agencies, including the US’s CISA, NSA, FBI, Australia’s ACSC, Canada’s CCCS, New Zealand’s CERT NZ and NCSC-NZ. The full advisory is accessible on CISA’s website.