NSA and CISA reveal top 10 cybersecurity misconfigurations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations.

Today's advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

The information included in the report was collected by the two agencies' Red and Blue teams during assessments and during incident response activities.

"These teams have assessed the security posture of many networks across the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and the private sector," the NSA said.

"These assessments have shown how common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user / administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk," said Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA.

The top 10 most prevalent network configurations discovered during Red and Blue team assessments and by NSA and CISA Hunt and Incident Response teams include:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

As stated in the joint advisory, these common misconfigurations depict systemic vulnerabilities within the networks of numerous large organizations.

This underscores the critical need for software manufacturers to adopt secure-by-design principles, thereby mitigating the risk of compromise.

​Goldstein urged software manufacturers to embrace a set of proactive practices, aiming to effectively tackle these misconfigurations and alleviate the challenges faced by network defenders.

These include integrating security controls into the product architecture from the initial stages of development and throughout the software development lifecycle.

Furthermore, manufacturers should stop using default passwords and ensure that compromising a single security control does not jeopardize the entire system's integrity. Taking proactive measures to eliminate whole categories of vulnerabilities, such as utilizing memory-safe coding languages or implementing parameterized queries, is also essential.

Lastly, Goldstein said it's imperative to mandate multifactor authentication (MFA) for privileged users and establish MFA as a default feature, making it a standard practice rather than an optional choice.

NSA and CISA also encourage network defenders to implement the recommended mitigation measures to reduce the risk of attackers exploiting these common misconfigurations.

Mitigations that would have this effect include:

• eliminating default credentials and hardening configurations,
• deactivating unused services and implementing stringent access controls,
• ensuring regular updates and automating the patching process, giving priority to patching known vulnerabilities that have been exploited,
• and reducing, restricting, auditing, and closely monitoring administrative accounts and privileges.

Besides applying the outline mitigations, NSA and CISA recommend "exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework" in today's advisory.

The two federal agencies also advise testing existing security controls inventory to assess their performance against the ATT&CK techniques described in the advisory.