CISA’s Vulnerability Catalog is a step in the right direction (I hope)

The Cybersecurity and Infrastructure Security Agency (CISA) recently rolled out its first binding operation directive. While the directive is targeted at patch management at federal agencies, the vulnerability catalog that it references is being made available for everyone to use. What makes this catalog unique, is that it is limited to known AND exploited vulnerabilities, as opposed to the exponentially higher number of all known vulnerabilities. In other words, if you are going to patch anything, patch these first as these vulnerabilities are under active attack.

While this is an idea that I applaud (fight the fires you can see in front of you as opposed to the potential fires to come), I have to wonder if this will make a significant dent in the problem of vulnerability management. Why? Because companies are not patching their systems effectively as it is. And the reason for that often starts with a lack of asset awareness. You can’t protect what you don’t know you have.

Large companies that are making use of scanning tools today already know that they have 10’s, if not 100’s of thousands of unpatched vulnerabilities in their environment. Even if they were to use the old CVSS scoring system to limit their efforts to only critical issues, it is still not unusual for these vulnerabilities to remain unpatched for months if not years in my experience.

Perhaps, if and when scanning vendors upgrade their tools to make use of the CISA database, so that just the worst of the worst is highlighted in the scan results, then hopefully that will light a fire under IT management to not only patch their systems but do so in a timely basis. Sounds like a good metric for the board or CEO to ask of their IT and security teams — how many vulnerabilities from the CISA catalog do we have in our environment and what is the average time to patch them (hint, hint!).

Keeping my fingers crossed….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s