October 6th – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Agency (CISA) have announced the top 10 most common cyber security misconfigurations within enterprise networks, as discovered by their red and blue teams.
NSA and CISA: Misconfigurations
The agencies’ Red and Blue teams collected information during assessments and incident response activities, which shaped their overall report and analysis.
“These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal and territorial (SLTT) governments and the private sector,” said the NSA.
The testing has revealed just how common misconfigurations really are, and the extent to which they place businesses and individuals at-risk.
10 most prevalent
As discovered by the NSA and CISA teams, the top 10 most prevalent network misconfigurations involve:
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypassing of system access controls
7. Weak or misconfigured multi-factor authentication (MFA) methodologies
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution
As noted in the advisory, the aforementioned misconfigurations depict systemic vulnerabilities within the networks of a variety of enterprises.
Upgrading manufacturing standards
The ease with which misconfigurations can occur underscores the critical need for software manufacturers to adopt secure-by-design principles, which can massively mitigate risk.
Executive Assistant Director for Cybersecurity at CISA, Eric Goldstein, encouraged software manufacturers to pursue a set of proactive practices that will help address misconfigurations and alleviate some of the difficulties that network defenders face.
Proactive practices include integrating security controls into the product architecture, starting with the initial stages of development, and continuing throughout the software development lifecycle.
Further, manufacturers should cease the practice of using default passwords, ensuring that the compromise of a single security control cannot jeopardize an entire system’s integrity.
Eliminating entire categories of vulnerabilities (by utilizing memory-safe coding languages for example) is also a must.
Network defender mitigations
In references to the common misconfigurations listed above, the NSA and CISA advocate for network defenders to:
- Eliminate default credentials and to harden configurations
- Deactivate unused services and implement stringent access controls
- Ensure regular updates
- Activate automated patching processes, prioritizing patching of vulnerabilities that have seen previous exploit
- Reduce, restrict, audit and monitor administrative accounts and privileges
The two agencies also recommend that organizations exercise, test and validate security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.