A Salt Typhoon Wake-Up

A vulnerability had a rare maximum severity score, but went unpatched

What can we learn from this telecom breach?

Chinese-state-backed hackers spent months inside America’s largest telecom networks, reading private messages from government officials and accessing law enforcement wiretap requests. The Salt Typhoon attacks compromised AT&T, Verizon, Charter and others by exploiting unpatched Cisco router vulnerabilities – vulnerabilities that were discovered and had patches released by the manufacturer up to seven years ago. Not only this, but among the vulnerabilities, one had a rare National Institute for Standards and Technology (NIST) severity score of ten – the very highest priority according to NIST’s calculus of what should be addressed.¹

As far as bottom-line relevance, first, there is a documented connection between the attack methods at the highest levels and cybercrime operations that go after businesses of all sizes; the heavy-hitters clear the paths that others imitate. But these breaches also reveal patterns that can teach us how to improve our defenses.

That’s a lot

2024 saw a spike in new security vulnerabilities: over 22,000 potential problems were published. Assessing one takes about 15 minutes, meaning you’d need about two and a half years of full-time work to assess one year’s discoveries. If it sounds impractical, of course it is.

Why patches don’t get deployed

There is a lot of pressure on IT teams to not break anything – downtime is costly. So people avoid patching because they fear breaking systems that are working. How would you choose between “this vulnerability might be exploited” or “this patch might take operations off-line”? The immediate safer choice seems likely.

But the problem is that working systems with known vulnerabilities are the targets. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a ninety-page list of the most severe vulnerabilities. If NIST ranks the vulnerability as “critical” (as in this case), there should be a plan to get it fixed.

Not perfect security, but security strategy

Security is a big question. There’s no being perfectly safe in this world. When assessing an organization’s risk, the answers come from what’s most likely to happen and an organization’s security budget. Among the potential risks are electrical issues that would take out your servers, employee error, leaving passwords on a non-secured piece of paper and, of course, unpatched computers.

An outsourced IT provider like Bryley can help you figure out how to prioritize what are the biggest threats to your organization. Outsourced IT can be a useful tool in getting a new perspective on your IT situation. It doesn’t hurt to have a fresh set of trained eyes.

An MSP (Managed Service Provider, like Bryley) can also help:

• solve the what-to-patch dilemma by making patch management a dedicated focus, rather than one of many competing day-to-day priorities
• working in testing environments
• bringing expertise in assessing patch stability before deployment

These reduce the “will this break everything?” concern while seeing that critical vulnerabilities get minimized.

To speak to Bryley’s Roy Pacitto about a business-continuity (aka low downtime) approach to addressing vulnerabilities for your organization, please complete the form, below, schedule a 15-minute, no-obligation call. Or you can email Roy at RPacitto@Bryley.com or reach him by phone at 978.562.6077 x217.