4 Lessons Security Leaders Can Learn

/in


Ivanti has had a rough start to the year. In January and February, the IT software company disclosed a series of VPN vulnerabilities impacting the Ivanti Connect Secure and Ivanti Policy Secure gateways. In February, the Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting these vulnerabilities.  

As exploitation continued, CISA became one of the impacted organizations. The federal agency took down two of its systems affected by exploitation of the Ivanti vulnerabilities, The Record reported.  

“About a month ago CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses. The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” a CISA spokesperson shared in an emailed statement.  

What lessons can CIOs, CISOs, and other enterprise security leaders learn from these vulnerabilities, Ivanti’s response, and the exploitation of the bugs?  

Understand the VPN Vulnerabilities 

“From Jan. 10 to Feb. 8, there were five vulnerabilities disclosed; the nature of these vulnerabilities allows an unauthenticated actor to execute arbitrary commands with elevated privileges,” Nick Hyatt, director of threat intelligence at managed detection and response (MDR) company Blackpoint Cyber, tells InformationWeek in an email interview.  

Related:How to Evaluate a CISO Job Offer

The five vulnerabilities that impacted the Ivanti Connect Secure and Ivanti Policy Secure gateways are CVE-2023-46805 (CVSS 8.2), CVE-2024-21887 (CVSS 9.1), CVE-2024-21888 (CVSS 8.8), CVE-2024-21893 (CVSS 8.2), and CVE-2024-22024 (CVSS 8.3).  

This crop of VPN flaws in Ivanti’s products has led to criticism of the company’s cyber incident response. The company will likely need to work to regain customer trust following the exploitation of these bugs. In the meantime, enterprise leaders may be considering their choice of VPN solution.  

“There are other solutions out there that do this exact same thing that haven’t appeared on CISA KEV [Known Exploited Vulnerabilities Catalog] as much,” says…

Source…