A newly released advisory from the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), highlights the most common cybersecurity misconfigurations in large organizations.
CISA and NSA on Thursday unveiled a list of the top 10 most common security software problems and offered clear guidance on how to drive down these misconfigurations.
The Oct. 5 joint advisory is an effort to shine a light on “secure by design” principles being pushed by cybersecurity agencies to ensure software is shipped out with necessary protections in place.
“Over the past several years, red and blue team operators at CISA and NSA have assessed organizations to identify how a malicious actor could gain access, move laterally, and target sensitive systems or information,” CISA Executive Assistant Cybersecurity Director for Cybersecurity Eric Goldstein said in a blog post. “These assessments have shown how common misconfigurations … place every American at risk.”
The agencies identified the following 10 most common network misconfigurations:
- Default configurations of software and applications;
- Improper separation of user/administrator privilege;
- Insufficient internal network monitoring;
- Lack of network segmentation;
- Poor patch management;
- Bypass of system access controls;
- Weak or misconfigured multifactor authentication (MFA) methods;
- Insufficient access control lists (ACLs) on network shares and services;
- Poor credential hygiene; and
- Unrestricted code execution.
“These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders,” the joint advisory reads.
The agencies made several recommendations, including advising manufacturers to eliminate default passwords that are automatically built into products or applications, provide high-quality logging tools to customers at no extra charge, and make multi-factor authentication a default feature when users attempt to log in.
Personnel responsible for product security oversight are also encouraged to remove default login credentials and regularly install patches.
“The misconfigurations described in the advisory are too commonly found in assessments, hunts and incident response conducted by our teams and the [tactics, techniques, and procedures] are standard methods used by multiple cyber actors that have led to numerous compromises,” Goldstein wrote.
CISA unveiled its secure-by-design and -default guidelines back in April, which aim to outline clear steps that technology providers can take to increase the safety of products used around the world.
Last week, CISA announced a new national campaign, Secure Our World, and one of the key elements is for technology providers to secure their products – protecting customers by making products secure by design.
