CISA performance goals program trims exploited CVEs

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency said it is making progress toward reducing security risk since the October 2022 release of its cybersecurity performance goals program, the agency said Tuesday
  • Since the release of the CPG program, organizations enrolled in the agency’s vulnerability scanning service have reduced their average number of known exploited vulnerabilities by about 20%. 
  • Organizations also saw more incremental changes in reducing the number of exploitable services facing the public internet, with a 1% decline, CISA said. The agency found slight reductions in the use of remote desktop protocol and remote procedure call, which are commonly used vectors for initial access, ransomware distribution and data theft.

Dive Insight:

CISA launched the CPG program as a voluntary roadmap to help small- and medium-sized organizations improve their security postures through achievable improvements. 

The security improvements were measured across 3,500 organizations enrolled in CISA’s vulnerability scanning service prior to April 1, 2022. By June of this year, CISA said the number of enrolled organizations surged almost 70%, with more than 5,900 organizations enrolled.

The Known Exploited Vulnerabilities Catalog is a list of security vulnerabilities that are actively being used for attacks in the wild. CISA measured the average number of KEVs present per entity’s environment.

In April 2022, not long after the launch of CISA’s Shields Up campaign, there were about 0.58 KEV’s per entity, with the number showing irregular movement until October 2022, when it reached 0.49 KEV’s per entity. 

Since last November, there has been a steady reduction in known vulnerabilities, with 0.30 per entity by June, according to CISA data. 

“The early indicators of CISA reports are encouraging,” said Brian Fox, co-founder and CTO of Sonatype. However, he cautioned there was some selection bias due to the organizations being enrolled in the scanning service.

From my perspective, the larger problem has always been that the majority of the market is not paying enough attention to this problem,” Fox said. 

He noted that 30% of Log4j downloads are still of the vulnerable versions two years after the initial disclosures.