Security Vulnerabilities in 2024: A Wishlist for Improvement

Another year, another security vulnerability. 

For many of us who have been working as practitioners in the world of cyber risk and security over the course of the past 25 years, it is interesting to reflect on the various eras, trends and themes that have come and gone. 

For example, who remembers Y2K? The new millennium was viewed as a critical risk to technology, systems and business disruption for global organizations, and now it’s an afterthought. At the time, while working on the Y2K compliance project for a global entertainment and media company in 1999, I tested hundreds of printers to make sure they would still work after midnight on 12/31/99. 

Addressing the realities of cyber security in the present day, one common risk theme has been consistent, menacing and pervasive, and in many ways, it’s gotten worse: The prevalence of technical security vulnerabilities in software and devices released and distributed into the supply chain by manufacturers and vendors. 

Whether its enterprise software platforms, firmware for operational technology devices or applications, the frequency and volume with which critical security vulnerabilities are introduced has presented a challenge for enterprises across industry sectors for a very long time.

Unfortunately, all indications are that for 2024, this theme will continue. 

Security Vulnerabilities Leave Organizations Open to Organization-wide Cyber Attacks
A recent example relates to a commercial network-connected tool produced by Bosch Rexroth, which is used in manufacturing and industrial environments. Independent security researcher Nozomi Networks discovered and reported 23 vulnerabilities to Bosch Rexroth and the manufacturer has since taken action in releasing a security advisory to customers and promised a firmware update to address these issues soon. This example includes specific vulnerabilities related to remote code execution and exploitation of hard-coded credentials, among others. These aggregated soft spots render devices inherently vulnerable to cyber attacks and incidents. The devices could be targeted as part of a broader organizational cyber attack, causing significant disrupt in business processes.

In the interim while waiting for the security patches, it is the responsibility of organizations to manage the risk of exploitation of these vulnerabilities in their own environments. Compensating controls such as restricted access to networks, isolation, segmentation and monitoring can help reduce the risk. 

Security Vulnerabilities Wishlist for Improvement
Three key items at the top of the wish list for software vendors and hardware manufacturers for 2024. 

• Step-up proactive vulnerability management testing, analysis and controls. There is no excuse for missing gross security vulnerabilities and allowing them to be released into the supply chain.   
• Enhance broader product development and Software Development Life Cycle (SDLC) tollgates and processes. Similar to vulnerability management, this effort should greatly reduce the volume and severity of security vulnerabilities.
• Embrace relationships with external cyber security researchers. Leverage these talented resources to help identify critical vulnerabilities that may exist in previously released products.

The path to improvement is well defined. These initiatives require effort and focus; however, security and risk practitioners have the knowledge and resources to accomplish them and end security vulnerabilities in the supply chain.

How Can Alliant Help?
Alliant Cyber is ready to engage with your organization today, to assist you in identifying and realizing your cyber risk management objectives. Our multi-disciplinary team accomplishes this through our accelerated model of engagement, prioritization and targeted results. Reach out today to begin your journey toward optimized insurability outcomes, enabled by Alliant Cyber.