Organizations needn't rush to patch 'critical' security flaws listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a report from Ox Security.
After examining more than 200 separate environments, it's concluded that a 'patch everything' approach may be wasting valuable security resources. This, researchers said, is because in a cloud container environment many present no real-world exploitation risk at all..
Established in 2021, CISA's KEV catalog has become an important resource for defenders - but shouldn't be treated as a hard-and-fast to-do list, said Ox Security.
"While KEV is an excellent tool for focusing attention, it encompasses attacks across diverse platforms- from personal phones and webcams to cloud containers - without differentiating their contextual relevance," the researchers said.
"Treating all KEV vulnerabilities with equal urgency, as is sometimes demanded by compliance regulations, and regardless of environmental context, creates unnecessary workload for already overwhelmed security teams and diverts resources from genuinely critical issues."
Of 10 recent CVEs the firm examined, six were originally reported on Android and require Android-specific environments to reproduce, physical access for USB connections, or terminal access.
While two do apply to most operating systems built on the Linux kernel, successfully exploiting them would mean chaining them with additional vulnerabilities.
Another CVE was initially reported in Apple's Safari browser, where cookie-management logic was flawed - an issue that doesn't apply to cloud containerized environments.
Similarly, three were initially reported in libraries used by the Google Chrome browser - irrelevant for cloud containers, as most don't use these libraries for content processing and rendering.
The firm advises organizations to take a pragmatic approach, evaluating the context before rushing to patch a vulnerability.
Before treating a KEV alert as critical, security teams should look at the original context in which the CVE was reported and check it against their own environment, it recommended.
They should search for proofs-of-concept and examples of the vulnerability having been exploited - if there aren't any, the chances are low that an attacker would develop the exploit themselves.
Additionally, researchers said they should assess whether the vulnerability could allow access to sensitive information, in which case it should be prioritized.
"This additional contextual information would enable security teams to implement a more precise and efficient workflow when handling critical vulnerabilities in their environments, reducing alert fatigue and focusing resources where they matter most," said the firm.
The report also calls for a bit more help from CISA and vulnerability monitoring organizations, which should, it said, include contextual information to help security teams quickly assess the relevance of each vulnerability to their specific environments.
MORE FROM ITPRO
-
Shifting left might improve software security, but developers are becoming overwhelmedNews Developers are becoming overwhelmed amid the 'shift left' in development practices, new research shows.
-
Two more NHS Trusts have been hit with cyber attacks – here’s what we know so farNews A flaw in a third-party device management tool appears to be the source of the incident
-
CISA issues warning in wake of Oracle cloud credentials leakNews The security agency has published guidance for enterprises at risk
-
Warning issued over ‘fast flux’ techniques used to obscure malicious signals on compromised networksNews Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Two notorious infostealer malware operations were just knocked offlineNews Infrastructure linked to two major infostealer malware strains has been seized in a joint law enforcement operation
-
CISA breached a federal agency as part of its red team program — and nobody noticed for five monthsNews A red team assessment performed by CISA on an unnamed federal agency found a series of critical security weaknesses
-
What is the Cybersecurity and Infrastructure Security Agency (CISA) and what does it do?Explainer CISA plays a critical role in keeping US organizations safe from cyber attacks, providing vital advice and threat information
-
This ransomware variant has now been used against 500 targets — here's what you need to knowNews One form of ransomware has become a ‘significant threat’, US authorities have warned - here’s how to protect yourself
-
Nearly 70 software vendors sign up to CISA’s cyber resilience programNews Major software manufacturers pledge to a voluntary framework aimed at boosting cyber resilience of customers across the US
