NSA, CISA Red and Blue Teams Share Top 10 Cybersecurity Misconfigurations

Oct 6, 2023 · 4 mins read

Yesterday, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) outlining the top ten most prevalent cybersecurity misconfigurations in enterprise networks.

The advisory noted a “trend of systemic weaknesses in many large organizations, including those with mature cyber postures”. It called attention to the urgent need for secure-by-design principles among manufacturers and service providers.

10. Unrestricted Code Execution

Unrestricted code execution compromises system security by allowing unauthorized code to run unabated. The advisory urges organizations to initiate regular system updates, employ intrusion detection systems, and implement stringent input validation as primary mitigation strategies. It is also recommended to enable system settings that hinder applications downloaded from untrusted sources from running, use application control tools for default program execution restriction (allowlisting), block or prevent execution of vulnerable drivers, constrain scripting languages, use read-only containers with minimal images, and routinely analyze both border and host-level protections, including spam-filtering capabilities.

9. Poor Credential Hygiene

Weak password practices facilitate unauthorized access, showcasing poor credential hygiene. To address this, organizations should adhere to NIST guidelines for password policy creation without enforcing counterproductive restrictions, utilize password managers, avoid reusing local administrator account passwords, employ “strong” passphrases for private keys, ensure password lengths of 25 characters or more, regularly review systems for cleartext account credentials, consider the use of group Managed Service Accounts (gMSAs), and apply secure hashing algorithms with high computational cost to salt hashed passwords.

8. Insufficient ACLs on Network Shares and Services

Insufficient Access Control Lists (ACLs) on network shares and services permit unauthorized access to sensitive data due to overly permissive policies or absent “deny” policies. This is often seen in SMBs where file servers are misconfigured, making sensitive data accessible to unauthorized individuals. The advisory suggests implementing secure configurations for all storage devices and network shares, applying the principle of least privilege, setting restrictive permissions on sensitive files and folders, and enabling specific Windows Group Policy settings to mitigate these risks.

7. Weak or Misconfigured MFA

Weak or misconfigured Multifactor Authentication (MFA) methods inadequately protect against unauthorized access, with some forms being susceptible to various attack techniques. To enhance security, organizations are advised to support MFA for all users, make it a default feature, and mandate phishing-resistant MFA for users with privileged accounts, while also employing stronger MFA methods and ensuring proper configuration and updates.

6. Bypass of System Access Controls

Attackers can exploit system resources and data when system access controls are bypassed, as seen in the 2010 Stuxnet attack. To counteract this, organizations should employ comprehensive access controls, robust intrusion detection systems, and conduct regular security audits, ensuring audit records provide sufficient detail to detect control bypass.

5. Poor Patch Management

Failure to promptly patch known vulnerabilities, as seen in the 2017 Equifax breach, leaves systems susceptible to attacks. Organizations should adopt a systematic approach to patch management, embedding security controls into product architecture from the start of development, following secure coding practices, conducting thorough code reviews, testing for vulnerabilities, ensuring published CVEs provide adequate information, and clearly communicating the risks of using unsupported operating systems and firmware.

4. Lack of Network Segmentation

Without network segmentation, internal networks are vulnerable to lateral movements by attackers, evident in Target’s 2013 data breach. It’s crucial to implement network segmentation to protect sensitive data and services, ensuring products are compatible with and tested in segmented network environments.

3. Insufficient Internal Network Monitoring

Insufficient network monitoring allows malicious activity to go undetected, as witnessed in the 2014 JPMorgan Chase breach. The advisory recommends employing advanced monitoring tools and developing comprehensive incident response plans, providing high-quality audit logs to customers at no extra charge.

2. Improper Separation of User/Administrator Privilege

Excessive access rights can lead to unintended system changes and data leaks, as experienced in the 2013 Edward Snowden case. Organizations should enforce strict access controls, routinely review and adjust privileges, automatically generate reports of inactive and privileged accounts, and alert administrators about infrequently used services, providing recommendations for disabling or implementing access controls.

1. Insecure Default Configurations

Insecure default settings in applications and devices make them vulnerable right out of the box, as demonstrated by the 2016 Mirai botnet. Users should change default credentials and settings upon setup, while manufacturers need to embed security controls into product architecture from the onset and throughout development, provide security-enabled software by default, and consider making security features either opt-out or nondisabling.