Table of Contents
The NSA and CISA have created the Top 10 cybersecurity misconfigurations to help companies mitigate vulnerabilities
If in the 20th century, many American movies, series and books told us about the CIA, the world’s most famous intelligence agency, in the new millennium, the focus of our attention has turned to the NSA, the National Security Agency that collects critical security information and whose fundamental mission is to combat cyber threats and prevent attacks that could affect U.S. security systems.
As such, the NSA acts in coordination with another government agency, the CISA (Cybersecurity & Infrastructure Security Agency), when it comes to strengthening cyber defense and resilience against hostile actors. The result of this collaboration is the recent publication of a Top 10 Cybersecurity Misconfigurations, which alerts businesses and software developers to bugs that malicious actors can exploit to attack companies successfully.
How did the NSA and CISA assemble these Top 10 Cybersecurity Misconfigurations? From the experience and assessments of the Red Team, Blue Team, Threat Hunting and Incident Response teams of both organizations.
What are the main trends evidenced by these Top 10 cybersecurity configuration mistakes that should be considered by all companies globally?
- There are “systemic weaknesses in many large organizations, including those with more mature cybersecurity postures.”
- Security by design, is critical to reducing risks and helping defense teams successfully manage them.
Below, we will detail the top cybersecurity misconfigurations identified by the NSA and CISA and unpack their recommendations for mitigating them and preventing security incidents from harming businesses.
1. Who are the Top 10 Cybersecurity Misconfigurations for?
The NSA and CISA set two main groups of stakeholders to be aware of the top cybersecurity configuration errors they have identified:
- Enterprise systems defense teams.
- Software producers.
Concerning defense teams, the Top 10 cybersecurity misconfigurations emphasize that they must be well trained and have sufficient human, technological and financial resources to detect weaknesses, mitigate them and be prepared to prevent, detect and respond to a security incident. In addition, defensive teams must:
- Remove default credentials.
- Disable unused services and deploy access controls.
- Update the software the company works with on an ongoing basis.
- Automate patching and prioritize patches that address vulnerabilities that hostile actors have successfully exploited.
- Continuously monitor administrator accounts and security privileges.
- Apply the specific recommendations for each of the cybersecurity configuration flaws listed at the top.
On the other hand, the NSA and CISA place a series of duties on software manufacturers to strengthen software security from the design stage and help the companies that acquire them to protect their assets:
- Implement security controls in the software architecture from design and throughout its lifecycle.
- Eliminate default passwords.
- Provide customers with audit trails without increasing the cost of the software.
- Require privileged users to employ a multifactor authentication system to prevent phishing.
- Consider specific recommendations to mitigate the Top 10 Cybersecurity Misconfigurations.
2. Top cybersecurity misconfigurations
2.1. Default software and application configurations
Default configurations of software take the first place in the Top 10 Cybersecurity Misconfigurations to applications. Why? According to the NSA and CISA document, these configurations can allow unauthorized access and the launch of malicious activities. This category includes two types of errors to be aware of:
- Default credentials. Some software vendors release off-the-shelf network appliances that contain predefined credentials for administrative accounts. Which opens the door for hostile actors to abuse credentials:
- Detecting credentials through a web search and employing them to access a device.
- Resetting administrative accounts thanks to predictable questions asked when passwords are forgotten.
- Using the default VPN credentials to access the internal network of the attacked company.
- Leveraging publicly available configuration information to obtain administrative credentials of web applications and access them and their databases.
- Leveraging default credentials in software deployment tools to execute malicious code or perform lateral movements.
- Service permissions and default configuration settings. The Top 10 cybersecurity configuration bugs warn that some default access controls are permissive. In addition, hostile actors can use default services to attack an organization, even if the software vendor has not enabled them since it is enough for users or administrators to do so. During their security assessments, the NSA and CISA have detected:
- Insecure Active Directory certificate services.
- Insecure legacy protocols.
- Insecure server message block services.
2.2. Inadequate separation between user and administrator privileges
The second configuration error highlighted by the U.S. agencies revolves around separating accounts and privileges. The NSA and CISA teams have found that administrators often assign multiple roles to user accounts. As a result, these accounts can access various devices and services. This means that, if breached, hostile actors can move around the corporate network without resorting to lateral movement and privilege escalation tactics.
What are the three big mistakes detected in this area?
- Excessive account privileges. Establishing account privileges serves to limit access to sensitive information and system resources. If privileges are excessive, the users’ room for maneuvering is more significant and the risk level and attack surface increase.
- High permissions on service accounts, which, if compromised, can allow hostile actors to gain unauthorized access and even take control of critical systems.
- Use of privileged accounts that are not essential to the operation of the company. In some cases, secret funds are used to perform basic day-to-day company actions unnecessarily, thus increasing the company’s cyber exposure.
2.3. Insufficient monitoring of the internal network
Configuring host and network sensors to collect traffic and the final host log is essential to protect companies’ internal networks. Insufficient or poor configurations will limit the ability to monitor traffic and, therefore, the ability to detect anomalous activity and attacks aimed at compromising the web in the shortest possible time.
The direct consequence of insufficient or even non-existent network monitoring is that hostile actors can gain access to the network and implement tactics such as lateral movement, persistence or command and control (c&c) to achieve their criminal objectives, for example, stealing confidential information or paralyzing critical business processes.
2.4. Lack of network segmentation
Segmenting the network by establishing security boundaries is essential to separate user, production and critical systems networks. If the network has not been segmented or poorly segmented, hostile actors who manage to compromise a network resource can move laterally across the web and gain access to multiple enterprise systems.
This increases the vulnerability of companies to ransomware attacks and the malicious techniques deployed after exploitation.
In this regard, the Top 10 Cybersecurity Misconfigurations emphasizes the segmentation that must be implemented between information technology (IT) and operational technology (OT) environments. Why? If the segmentation is poor, the OT networks, theoretically isolated and critical to the operation of the enterprise, can be accessed through the IT environment.
2.5. Poor Patch Management
One of the essential tasks of software manufacturers is to release patches and updates for their applications to address detected security vulnerabilities and thus prevent them from being successfully exploited. Companies must perform effective and continuous patch management to prevent hostile actors from exploiting critical vulnerabilities.
The Top 10 Cybersecurity Misconfigurations puts the spotlight on two critical aspects of patch management:
- Failure to deploy patches regularly. This means that the latest patches are not applied, exposing the company to vulnerabilities that are already known and are a priority for cybercriminals.
- Unsupported operating systems and outdated firmware are used. This poses a significant risk to organizations. Why? Vendors no longer patch vulnerabilities in obsolete software and hardware, so hostile actors can exploit them to gain unauthorized access to the corporate network, compromise confidential or sensitive information, e.g., customer data, and cause disruption of essential services and business processes.
2.6. Circumvention of system access controls.
The NSA and CISA teams detected during their investigations and assessments that hostile actors can circumvent system access controls by compromising alternative authentication methods.
Thus, the Top 10 Cybersecurity Misconfigurations warns that a malicious actor can collect hashes on a network to authenticate itself without employing standard channels. In addition, it can maintain or deploy persistence without the company’s detection systems being aware of it and then elevate privileges, move laterally through and persist in the network.
2.7. Weak or misconfigured multifactor authentication methods
Regarding the seventh item in the Top 10 Cybersecurity Misconfigurations, the guide points to two key weaknesses:
- Poorly configured intelligent cards or tokens. In recent years, several networks, especially government networks, mandate that accounts must use smart cards or tokens to gain access. If multifactor requirements are misconfigured and allow account password hashes to remain unchanged, they can be used maliciously as an alternative credential for authentication.
- Multifactor authentication systems that are not resistant to phishing. Phishing attacks are a critical threat to the security of businesses and individuals in this era. It is, therefore, essential that the multifactor authentication method used is not vulnerable to techniques such as phishing, push bombing or SIM swapping.
2.8. Insufficient access control lists in shared resources and network services
Repositories and shared data are prime targets for hostile actors. Therefore, if network administrators do not correctly configure access control lists, they can enable unauthorized users to access confidential information and administrative data in shared folders.
Criminals can use tools or malware to search for shared folders and drives and then collect and exfiltrate stored data. With this information, they can extort money from the company or use it to launch future attacks against the company.
2.9. Poor credential hygiene
To protect the credentials of network users, good credential hygiene is essential. Otherwise, hostile actors can access the network, make lateral moves and persist undetected. The Top 10 Cybersecurity Misconfigurations included in this section:
- Easy-to-crack passwords, which criminals can crack easily without spending substantial resources.
- Disclosure of passwords in clear text. Storing passwords in clear text is very dangerous because if an attacker gains access to files containing the passwords (such as spreadsheets or other documents), they could access applications and software as if they were a legitimate user. There are tools for locating passwords in text files, such as Snaffler.
2.10. Unrestricted code execution
Allowing unverified programs to run on hosts can allow a hostile actor to run malicious applications within a network.
For example, through a phishing campaign, a criminal group can get a company employee to run a malicious program on their computer, thus facilitating access to cyber criminals.
The NSA and CISA teams have found that, in many cases, it is possible to exploit unrestricted code execution. How? In the form of executables, dynamic link libraries or HTML applications. Thanks to them, they can access the network, persist in it and move laterally to meet their objectives. In addition, cybercriminals can perform other actions that go unnoticed, such as using scripting languages to hide their activities, bypassing lists of allowed users or executing code in the kernel to compromise the compromised device fully.
3. Recommendations for mitigating cybersecurity configuration errors
As we noted at the beginning of the article, the NSA and CISA have not only listed the main cybersecurity configuration errors that both software manufacturers and the companies that acquire and use them should be aware of but also propose a series of recommendations to mitigate them.
The recommendations are articulated around each item of the Top 10 Cybersecurity Misconfigurations, differentiating the recommendations for defense teams from the suggestions to be taken into account by software developers.
3.1. Default software and application configurations
The first error on the list compiled by the NSA and CISA concentrates the most significant number of recommendations for professionals in charge of defending and protecting corporate networks:
- Modify the predefined configuration of applications and devices used by the company before they are deployed in a production environment.
- Change predefined passwords and user names for vendor-supplied services, software and equipment.
- Update the control infrastructure, use monitoring and auditing mechanisms, and have efficient access controls to protect the technology infrastructure.
- Ensure secure configuration of ADCS deployments and review template permissions on applicable servers.
- Require SMB signing for both client and server to avoid adversary-in-the-middle techniques.
As far as software vendors are concerned, the Top 10 Cybersecurity Misconfigurations suggest:
- Integrate security controls into the software architecture, for example, by following the best practices of the NIST Secure Software Development Framework.
- Provide customers with software with security features enabled and accompanied by guidelines for downgrading security controls, clearly explaining the business risks associated with downgrading these features.
- Do not provide software clients with universally shared default passwords and require administrators to set strong passwords during installation and configuration.
- Consider the impact of security measures on the experience of people using the software.
3.2. Inadequate separation between user and administrator privileges
Regarding this type of error, the guide developed by the NSA and CISA recommends:
- Deploy authentication, authorization and auditing systems to limit the actions that users can take, audit logs and detect unauthorized access or activities.
- Continuously audit accounts to eliminate those that are inactive or unnecessary.
- Prevent privileged accounts from being used for everyday actions that increase cyber exposure, such as checking e-mail.
- Limit the number of company users who have administrator privileges.
- Deploy time-based access to access accounts with elevated privileges.
- Restrict domain users from being part of the local administrator group on multiple systems.
- Establish that service accounts only have the permissions necessary for the operation of the services they control.
What steps should software developers consider to identify and mitigate privilege-related errors?
- Design applications so a compromised security control cannot compromise the entire system.
- Automate reporting on inactive and privileged account administrators to suspend the former and reduce privilege proliferation for the latter.
- Automatically notify administrators of underused services and propose measures to deactivate them or implement an access control list.
3.3. Insufficient monitoring of the internal network
To mitigate errors in monitoring an organization’s internal network, the Top 10 Cybersecurity Misconfiguration suggest that defense teams:
- Establish a baseline of the applications and services they employ, auditing access to them and administrative activity.
- Have a baseline representing the company’s regular traffic activity, network performance, application activity and user behavior. So that abnormal behavior can be detected and any deviations investigated.
- Employ auditing tools to detect opportunities that can be exploited to abuse privileges and services on corporate systems to correct problems before an incident occurs.
- Deploy a security information and event management system.
Software developers are encouraged to provide audit logs to companies that contract the software at no additional cost, as these logs help to detect and escalate security incidents.
3.4. Lack of network segmentation
The Top 10 security configuration mistakes lists three recommendations that defensive teams should implement to mitigate the lack of segmentation of a corporate network:
- Deploy a firewall to perform deep packet filtering and analyze packets.
- Design and implement network segments to isolate critical systems, functions and resources.
- Deploy separate VPC instances to isolate critical Cloud systems.
From the software producers’ side, it is recommended that they assure enterprises that products and applications are compatible with segmented network environments and are tested in this kind of environment.
3.5. Poor patch management
The management of patches and software updates is an essential function of the professionals in charge of protecting corporate networks and systems. This is why the Top 10 Cybersecurity Misconfigurations recommends defensive teams:
- Ensure that the patch management process is efficient and that updated versions of operating systems, browsers and software products are available.
- Prioritize patching to mitigate known vulnerabilities already exploited by malicious actors.
- Automate software updates whenever possible.
- If patching is impossible, practitioners should segment networks to limit vulnerable system exposure.
- Stop using obsolete software and hardware as soon as possible.
- Patch basic input/output system (BIOS) and other firmware to prevent a hostile actor from exploiting a known vulnerability.
Regarding patch management, NSA and CISA suggest software developers:
- Implement security controls in the architecture and throughout the software lifecycle, following the best practices of the NIST Secure Software Development Framework and:
- Follow secure coding practices
- Review code
- Conduct code audits to identify vulnerabilities and ensure that security requirements are met.
- Ensure that published CVEs include the root cause of the vulnerability to facilitate analysis of software security design flaws.
- Clearly and simply inform their customers about the business risks associated with using obsolete operating systems and firmware.
3.6. Circumvention of system access controls
How can a company’s defensive teams prevent circumvention of access controls? The NSA and CISA recommend that they:
- Avoid reusing credentials between systems, which reduces the possibility of a malicious actor moving laterally.
- Have a method to monitor for non-standard login events.
- Deploy an effective and continuous patch management process.
- Apply user account control restrictions to local accounts when they log on to the corporate network.
- Prevent domain users from being part of the local administrator group on multiple systems.
- Limit communications between workstations and have them all go through one server.
- Use privileged accounts only on those systems that require it.
To facilitate the remediation of this configuration error, the guide recommends that software producers provide sufficient detail in audit logs, making it easier to detect circumvention of system controls and to trace all suspicious actions.
3.7. Weak or misconfigured multifactor authentication methods
About the use of multifactor authentication methods, the document produced by the NSA and CISA sets out a series of specific recommendations for Windows environments that can be implemented in the short term. In addition, for a long time, it proposed to have a Cloud primary authentication solution. Regarding the fight against phishing, the Top 10 Cybersecurity Misonfigurations recommend having a phishing-resistant multifactor authentication method to enable access to confidential corporate data, as well as sensitive resources and services. The guide recommends extending phishing-resilient multifactor authentication to as many services as possible.
How can software vendors contribute in this area?
- Make multifactor authentication the default feature.
- Mandate that privileged users have to employ a phishing-resilient multifactor authentication method.
3.8. Insufficient access control lists in shared resources and network services
The NSA and CISA Top 10 Cybersecurity Misconfigurations recommends:
- Implement secure configurations for all storage devices and network shares, allowing access only to authorized users.
- Assume the principle of least privilege, especially for sensitive resources, to reduce improper data access and manipulation.
- Set restrictive permissions on files and directories so hostile actors cannot alter access control lists.
- Set restrictive permissions on files and folders containing private passwords.
- Limit the number of users who can enumerate network shares.
Regarding this configuration error, software vendors can enforce default access control lists that allow only the minimum necessary access. In addition, they can set up simple tools to make it easy to periodically audit access and make decisions to limit access to the minimum required.
3.9. Poor credential hygiene
Credential hygiene is essential to prevent access by hostile actors. This is why the Top 10 Cybersecurity Misconfigurations recommends defensive teams in companies:
- Create password policies so that passwords are secure and cannot be cracked.
- Prevent reuse of local administrator account passwords across multiple systems.
- Require solid passwords for private keys, forcing hostile actors who wish to crack them to employ numerous resources. In addition, storing passwords in files should also be prohibited.
- Set an appropriate password length. The guide recommends that it should be 25 characters or more. As well as implementing the periodic expiration of passwords.
- Have a file and system review process to look for clear text credentials and delete, change or encrypt them.
- Implement secure password storage applications.
Software vendors can also help improve credential hygiene by implementing these three recommendations:
- Allow administrators to configure a password policy following NIST guidelines, avoiding requiring counterproductive restrictions.
- Make it easy for users to use password managers to generate passwords easily and securely within the software products.
- Use a secure hashing algorithm that allows a salt to be added to passwords, making brute force cracking more difficult.
3.10. Unrestricted code execution
How can defensive teams mitigate unrestricted code execution?
- Enable system settings to prevent the execution of applications downloaded from untrusted sources.
- Employ control tools that serve to restrict the execution of programs by default.
- Block execution of vulnerable drivers that may allow hostile actors to execute code in kernel mode.
- Restrict scripting languages to prevent malicious actions and audit the logs of these sequences.
- Use read-only containers and minimal images as much as possible, making it challenging to execute commands.
- Continuously analyze security mechanisms at the border and host level. For example, spam filtering procedures, to block malware delivery and execution.
The last of the Top 10 Cybersecurity Misconfigurations can be addressed, from the software producers’ side, by providing execution controls within operating systems and applications “out of the box” by default and without passing on an additional cost to customers. These controls help make it more difficult for hostile actors to abuse software functionality or launch unusual (and potentially malicious) applications without the approval of an administrator or an informed user.
4. Validate a company’s security program
Beyond implementing the recommended actions outlined above, the Top 10 Cybersecurity Misconfigurations advocates that companies continuously assess and audit their security program to improve their resilience to attacks and ensure they are prepared to deal with security incidents successfully.
In this regard, companies must have comprehensive cybersecurity services designed and implemented by highly qualified professionals with extensive experience.
Therefore, Tarlogic Security teams help companies to validate their security program by performing application security tests (SAST, SCA, SCS, DAST…), providing penetration testing services and offering comprehensive vulnerability management, as well as an emerging vulnerabilities service to detect risks immediately and proceed to their remediation.
It should also be noted that this Top 10 Cybersecurity Misconfigurations also highlights advanced services such as the Red Team, which makes it possible to explore in depth how a security program responds to a real threat, or the Threat Hunting services that make it possible to anticipate hostile actors and unravel their tactics, techniques and procedures.
In short, cybersecurity is a constantly evolving field in which new threats emerge daily, and hostile actors refine their strategies. That’s why companies can’t do enough to help. The NSA and CISA’s Top 10 Cybersecurity Misconfigurations serves to:
- Alert defensive teams and software developers to the business risks associated with poor configurations.
- List a series of recommendations helpful in limiting risk and cyber exposure.
- Highlight the value of continuous assessment and optimization of the cybersecurity strategy to protect business assets, as well as the valuable information obtained through Red Team and Threat Hunting services.