In a report released Friday, CISA said it saw a 201% increase in its Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations between Aug. 1, 2022, through Aug. 31, 2024.
Of the 7,791 critical infrastructure organizations that enrolled in the agency’s vulnerability scanning service during that period. The following industries lead the surge:
- Communications – 300%
- Emergency services – 268%
- Critical manufacturing – 243%
- Water and wastewater systems 242%
CISA cited a steady decrease in the number of monitored exploitable services from 12 services per CyHy enrollee in August 2022 to roughly 8 apiece. The number of KEV tickets also declined, with critical-severity KEVs falling 50% and high-severity KEVs dropping by 25%.
Remediation times for SSL vulnerabilities fell as well, with tickets resolved in less than 50 days, down from about 200 days as of August 2022.
CISA’s report also highlighted the high exposure rate of operational technology protocols to the public internet:
- 63% – Government services and facilities
- 10% – IT
- 10% – Energy
- 5% – Healthcare
Lawrence Pingree, VP, Dispersive.io had this to say:
“I think it’s admirable that CISA offers a free scanning service. It’s no surprise that enterprises leverage the free service to check for vulnerabilities, given you get a report regularly from the government for free (no cost). Seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have. Keep in mind, it doesn’t necessarily represent the only way that attackers can breach an environment, and there’s no guarantee that a zero day isn’t used instead. Attackers just rotate to whatever they need to in order to accomplish their goals. So, if the external surface is too much of a challenge, they rotate to third parties, or malware+phishing, or even social engineering. The importance of my past research work in preemptive cyber defense (PCD) and automated moving target defense (AMTD) at Gartner was to point to the need to move to preemptive models instead of the whack-a-mole we play with vulnerabilities and patching.”
I am pretty impressed by this as it shows that organizations may actually be taking cybersecurity seriously. That is a good thing as we’ve seen what happens when cyber criminals are allowed to run wild.
Emily Phelps, Director, Cyware follows with this:
“CISA’s Cyber Hygiene service growth reflects the critical sectors’ increasing focus on cybersecurity, but the report also highlights persisting risks, like high exposure of operational technology protocols. Improved remediation times are encouraging, but organizations must go beyond addressing vulnerabilities to build resilience against evolving threats. Protecting critical infrastructure demands real-time threat detection, intel and defensive strategy sharing, coordinated responses, and robust strategies to secure essential services.”
Like this:
Like Loading...
Related
This entry was posted on January 13, 2025 at 11:56 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
CISA sees a 201% increase in enrolment for its Cyber Hygiene (CyHy) service
In a report released Friday, CISA said it saw a 201% increase in its Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations between Aug. 1, 2022, through Aug. 31, 2024.
Of the 7,791 critical infrastructure organizations that enrolled in the agency’s vulnerability scanning service during that period. The following industries lead the surge:
CISA cited a steady decrease in the number of monitored exploitable services from 12 services per CyHy enrollee in August 2022 to roughly 8 apiece. The number of KEV tickets also declined, with critical-severity KEVs falling 50% and high-severity KEVs dropping by 25%.
Remediation times for SSL vulnerabilities fell as well, with tickets resolved in less than 50 days, down from about 200 days as of August 2022.
CISA’s report also highlighted the high exposure rate of operational technology protocols to the public internet:
Lawrence Pingree, VP, Dispersive.io had this to say:
“I think it’s admirable that CISA offers a free scanning service. It’s no surprise that enterprises leverage the free service to check for vulnerabilities, given you get a report regularly from the government for free (no cost). Seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have. Keep in mind, it doesn’t necessarily represent the only way that attackers can breach an environment, and there’s no guarantee that a zero day isn’t used instead. Attackers just rotate to whatever they need to in order to accomplish their goals. So, if the external surface is too much of a challenge, they rotate to third parties, or malware+phishing, or even social engineering. The importance of my past research work in preemptive cyber defense (PCD) and automated moving target defense (AMTD) at Gartner was to point to the need to move to preemptive models instead of the whack-a-mole we play with vulnerabilities and patching.”
I am pretty impressed by this as it shows that organizations may actually be taking cybersecurity seriously. That is a good thing as we’ve seen what happens when cyber criminals are allowed to run wild.
Emily Phelps, Director, Cyware follows with this:
“CISA’s Cyber Hygiene service growth reflects the critical sectors’ increasing focus on cybersecurity, but the report also highlights persisting risks, like high exposure of operational technology protocols. Improved remediation times are encouraging, but organizations must go beyond addressing vulnerabilities to build resilience against evolving threats. Protecting critical infrastructure demands real-time threat detection, intel and defensive strategy sharing, coordinated responses, and robust strategies to secure essential services.”
Share this:
Like this:
Related
This entry was posted on January 13, 2025 at 11:56 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.