Joint Cyber Security Advisory: Top 15 routinely exploited vulnerabilities of 2021
New Zealand’s National Cyber Security Centre (NCSC) has issued a cyber security advisory in conjunction with its international partners the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).
The joint cyber security advisory details common vulnerabilities and exposures (CVEs) frequently exploited by malicious cyber actors, including the 15 most commonly exploited of 2021.
Malicious cyber actors continue to aggressively target disclosed critical software vulnerabilities against broad target sets in both the public and private sectors. While the top 15 vulnerabilities have previously been made public, this advisory is meant to help organisations prioritise their mitigation strategies.
The cybersecurity authorities recommend the following prioritised mitigation measures:
- Vulnerability and configuration management, including updating software, operating systems, applications, and firmware, with a prioritisation on patching known exploited vulnerabilities; implementing a centralised patch management system; and replacing end-of-life software.
- Identity and access management, including enforcing multi-factor authentication (MFA) for all users; if MFA is unavailable, require employees engaging in remote work to use strong passwords; and regularly reviewing, validating, or removing privileged accounts.
- Protective controls and architecture, including properly configuring and secure internet-facing network devices, disabling unused or unnecessary network ports and protocols, encrypting network traffic, and disabling unused network services and devices.