NIST has made some progress in reducing its backlog of security vulnerability reports in the National Vulnerability Database (NVD). Still, it missed its September 30 deadline to restore processing speeds to pre-February levels. As of September 21, over 17,000 CVEs remain unprocessed, impacting organizations’ visibility into new vulnerabilities. The backlog poses risks in the cybersecurity landscape, as organizations may not be aware of vulnerabilities that are actively being exploited. While NIST has hired external consultants to assist, the situation remains critical, affecting security processes and open-source projects reliant on NVD data.
In 2023, the Cybersecurity and Infrastructure Security Agency’s Vulnerability Disclosure Policy program saw over 7,000 security flaws submitted, a 132% increase from 2022. Valid disclosures and remediated flaws also rose significantly. Despite the associated management costs, the program has resulted in average remediation savings of nearly $4.45 million and improved vulnerability submission validation efficiency for participating agencies.
Cloud threats are the top concern for executives, with 42% identifying them as their biggest security worry, according to PwC’s cybersecurity report. The report highlights the leading threats as hack and leak operations, third-party breaches, attacks on connected products, and ransomware. Organizations feel least prepared to address these threats, particularly cloud attacks. The report also emphasizes the dual role of AI in cybersecurity, increasing vulnerability while aiding in threat detection.
Microsoft informed customers of a software bug that led to inconsistent log data collection for key security products, including Microsoft Sentinel and Entra, between September 2 and September 19, 2024. Although there is no evidence of cyberattacks related to this incident, the failure to record logs could hinder the detection of unauthorized access. Microsoft emphasizes security as a top priority, with plans to evaluate employee performance based on security measures.
Why do we care?
Risk management is the key to effective cybersercurity. Pressure you vendors to participate in disclosure programs and sign CISA’s Secure By Design pledge. Favor funding NIST to ensure it can deliver intelligence. And focus your own efforts to ensure you’re executing the basics well, which leads with incident response planning.
