The U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have released the following list of the ten most common misconfigurations observed by the agencies’ red and blue teams during 2022.
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
The agencies noted that these misconfigurations pose a significant cybersecurity risk as they are actively exploited by threat actors yet are mostly preventable.
Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, called on software developers to implement secure-by-design principles and stop using default passwords so that applications are inherently secure right out of the box. Goldstein also advised network defenders to make MFA mandatory rather than optional, despite its effect on convenience.
Additionally, the agencies strongly recommend that organizations deactivate unused systems, maintain a high patching cadence, and closely monitor administrative accounts, amongst other controls.
Source: Bleeping Computer
Analysis
The report produced by the NSA and CISA is an excellent reminder that threat actors don’t always need a sophisticated vulnerability or malware to access a targeted system when a simple misconfiguration can serve the same purpose.
The fact that this list exists shows that there are many relatively straightforward ways for organizations to improve their cybersecurity, making it more challenging for threat actors to compromise their infrastructure.
For instance, if every organization consistently applied patches to vulnerable systems, and decommissioned end-of-life systems, hackers would have a much more difficult time achieving their goals. They would have to rely on more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations), a capability that less sophisticated actors are unlikely to have.
Mitigation
To avoid misconfigurations, Field Effect echoes CISA’s advice in recommending organizations adopt the following controls:
- Eliminate default credentials and harden configurations
- Deactivate unused services and implement stringent access controls
- Ensure regular updates and automate the patching process, giving priority to patching known vulnerabilities that have been exploited
- Reduce, restrict, audit, and closely monitor administrative accounts and privileges
Related articles
