Top 10 Most Common Cybersecurity Misconfigurations From NSA/CISA
By Alliant Specialty
Listen to the audio version:
In October, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory (CSA) listing the most common cybersecurity vulnerabilities and weaknesses that organizations are facing. The advisory details the tactics, techniques and procedures (TTP) that threat actors are using to exploit these vulnerabilities.
Top 10 Cybersecurity Misconfigurations
- Default software configurations: Many software manufacturers release commercial off-the-shelf (COTS) network devices which provide user access via applications or web portals containing predefined default credentials for their built-in administrative accounts. Default configurations can harbor vulnerabilities that can be exploited by hackers. This includes default credentials, permissions and settings that could potentially grant unauthorized access.
Recommended action: To avoid security risks, modify the default configurations of apps and appliances before deploying them. Change or disable default usernames and passwords during installation, secure ADCS configurations, review permissions on templates and assess LLMNR/NetBIOS necessity. - Improper user/administrator privilege separation: Assigning multiple roles to a single account by administrators can create a situation where a single compromised account can grant access to a wide range of devices and services without being detected.
Recommended action: To mitigate cybersecurity risks, implement robust authentication, authorization and accounting systems. Conduct routine audits of user accounts and remove any unnecessary accounts immediately. Limit privileged account use and the number of administrator users. Restrict domain users in local admin groups, run non-admin accounts for demonized apps and configure service accounts with only essential permissions. - Insufficient internal network monitoring: Inadequate configurations for host and network sensors can result in undetected compromises, impeding the collection of vital data for establishing baselines and promptly detecting suspicious activity.
Recommended action: To address this, it is vital to establish baselines of applications and services; routinely audit their access and use, especially for administrative activities; and develop a baseline representing an organization’s normal traffic activity, network performance, host application activity and user behavior. Use auditing tools that can detect privilege and service abuse opportunities and implement a security information and event management system. - Lack of network segmentation: The absence of network segmentation security allows malicious actors to move laterally across various systems without any security boundaries. This poses a significant risk as businesses become more vulnerable to ransomware attacks and post-exploitation techniques.
Recommended action: Mitigation strategies include implementing next-generation firewalls that perform deep packet filtering, stateful inspection and application-level packet inspection. Engineer network segments to isolate critical systems, functions and resources. Implement separate virtual private cloud instances to isolate essential cloud systems. - Poor patch management: Keeping software up to date is critical to prevent security vulnerabilities.
Recommended action: Implement an efficient patch management process that includes regular updates for operating systems, browsers and software. Automate the update process as much as possible and rely on vendor-provided updates. Segment networks to limit exposure of vulnerable systems and discontinue the use of unsupported hardware and software. Finally, patch firmware to prevent known vulnerabilities from being exploited. - The bypassing of system access controls: Threat actors can gain unauthorized access to a system by exploiting alternate authentication methods like pass-the-hash (PtH).
Recommended action: It is important to restrict the use of the same credentials across different systems to prevent such unauthorized access and limit the threat actors’ ability to move around and cause damage. To further mitigate the risk, enabling PtH mitigations and denying domain users from being part of the local administrator group on multiple systems can be helpful. - Weak or misconfigured multifactor authentication (MFA): Some networks require accounts to use smart cards or tokens. However, multifactor requirements can be misconfigured, which may allow the password hashes associated with these accounts to never change. This can pose a significant risk, as password hashes can be used indefinitely as long as the account remains active. In addition, certain types of MFA methods can be vulnerable to various types of attacks.
Recommended action: To mitigate this risk in Windows environments, it’s recommended to disable legacy authentication protocols and instead enforce phishing-resistant MFA through modern open standards. This approach can help ensure your network remains secure and protected from potential threats. - Insufficient access control lists (ACLs) on network shares and services: Data shares and repositories are often targeted by threat actors. Improperly configured ACLs can allow unauthorized users to access sensitive or administrative data on shared drives.
Recommended action: To prevent this, organizations should ensure secure configurations for all storage devices and network shares, allowing access only to authorized users. They should also apply the principle of least privilege to important information resources; set restrictive permissions on files and directories; and enable the Windows Group Policy security setting, “Do Not Allow Anonymous Enumeration of Security Account Manager (SAM) Accounts and Shares” to limit users who can enumerate network shares. It is also crucial to apply restrictive permissions on files and folders containing sensitive private keys. - Poor credential hygiene: To prevent cyber attacks, it’s crucial to maintain good credential hygiene.
Recommended action: Follow the National Institute of Standards and Technology’s (NIST) guidelines for password policies, use strong passwords, avoid reusing passwords across systems, and use strong passphrases for private keys and store hashed passwords. Implement a regular review process to look for cleartext credentials and consider group-managed service accounts or third-party software for secure password storage. - Unrestricted code execution: Unverified programs can enable threat actors to run harmful payloads on hosts.
Recommended action: To prevent this, organizations should restrict applications downloaded from untrusted sources, use application control tools and constrain scripting languages. Regular analysis of border and host-level protections is necessary to ensure their continued effectiveness in blocking malware.
Additional Mitigation Strategies
It is highly recommended by NSA and CISA that organizations continuously exercise, test and validate their security programs in a production environment. Regular testing ensures that security measures remain effective and adaptable to new threats. Additionally, organizations can learn from the vulnerabilities and shortcomings experienced by others and swiftly implement necessary mitigation measures to safeguard their networks, sensitive information and critical missions.
Conclusion
The joint advisory from NSA and CISA provides invaluable insights into the most common cybersecurity misconfigurations and offers detailed strategies for mitigating these risks. One thing is apparent: There is a clear correlation between the NSA and CISA advisory, and the common requirements and expectations within the cyber insurance market. The “top 10” priorities outlined in this advisory closely mirror the most critical controls and security objectives that are driving cyber insurability decisions today.
By diligently addressing these issues and following the recommended best practices, organizations can significantly enhance their cybersecurity posture and protect against a wide range of threats.
How Can Alliant Help?
Alliant Cyber drives better cyber insurability outcomes for clients by tracking requirements, trends and input from the various cyber insurance markets and carriers, in addition to guidance from organizations such as NSA and CISA. Our integrated approach to cyber risk management includes a focus on assessing risk, controls and vulnerabilities, while also assisting our clients with various cyber services and partnerships to drive remediation and continuous improvement. The results for Alliant Cyber clients are significantly improved cyber insurance and risk management outcomes for their organizations.
For more information, visit alliant.com/cyber.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.