Late last week, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued an alert that they’re adding 15 new vulnerabilities to their Known Exploited Vulnerabilities Catalog. On one hand, you can see this as 15 new ways that malicious actors are actively exploiting corporate networks to access data or disrupt operations. On the other hand, and as most security teams see it, it’s just a typical Thursday. Networks are under siege, and every day introduces another path to your data (or 15 of them).
For most organizations, the onslaught of vulnerabilities can be overwhelming. Enterprises can go line by line through the CISA list and compare it against their inventory of known IT assets, and the likelihood is that there will still be opportunities for malicious actors to access their network. Even the most comprehensive list of vulnerabilities can’t safeguard companies from exploits within the IT assets they’ve abandoned or forgotten about. The unfortunate reality is that creating a comprehensive, up-to-date asset inventory – something that is needed to serve as the foundation of an effective cybersecurity strategy – is a real challenge for most companies.
The simple fact is that most enterprises have IT asset inventories that do not reflect their entire attack surface, which in modern enterprises extends beyond the network to include cloud, personal devices, remote workers as well as all things on premise. Until organizations can start working from a comprehensive and accurate IT asset inventory, attackers will always be able to find a way in.