A joint cybersecurity advisory from the United States's National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) has shone a light on the top ten most common cybersecurity misconfigurations found in large private and public organisations.
The report aims to detail the weaknesses found in many large organisations, and the need for software makers to properly embrace the principles of security-by-design.
The rogue's gallery of misconfigurations was compiled by CISA and the NSA from their own red and blue team assessments, as well as the findings of incident response teams across government and private sector organisations.
So, without further ado, here are what have been determined to be the most common network misconfigurations:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
There's no doubt that problems like these are present in many organisations, both private and public sector.
Just taking the first listed misconfiguration ("Default configurations of software and applications") as an example, it's clear that the problem is substantial.
All manner of equipment (from network access devices, printers, CCTV cameras, VOIP phones, and a panoply of IoT gizmos) commonly rely upon default login credentials that a malicious attacker could exploit to gain unauthorised access, and potentially use a staging point to move laterally within an organisation's infrastructure and access sensitive documents.
The report says that the top misconfigurations list illustrates the need for trained and properly funded network security teams to implement known mitigations for the weaknesses, and reduce the chances of a malicious hacker exploiting a misconfiguration.
Amongst the report's advice:
- Remove default credentials and harden configurations.
- Disable unused services and implement access controls.
- Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.
- Reduce, restrict, audit, and monitor administrative accounts and privileges.
In addition, the report calls on software manufacturers to reduce the prevalence of misconfigurations, by:
- Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
- Eliminating default passwords.
- Providing high-quality audit logs to customers at no extra charge.
- Mandating multi-factor authentication (MFA) for privileged users, and making MFA a default rather than opt-in feature.
Just imagine how much better prepared your organisation would be if all the hardware and software which entered your company had security features enabled "out of the box" - with guides on how to "loosen" security (whilst understanding the business risks) if definitely required, rather than the normal pamphlet on how to harden security.
This isn't rocket science. This is about taking the security of your organisation seriously, and the manufacturers who develop software and hardware for companies to raise their bar when it comes to thinking about these issues as well.
Be sure to check out the full 44-page joint advisory for more advice on what your company could be doing better to tackle the top cybersecurity misconfigurations.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Tripwire Enterprise: Security Configuration Management (SCM) Software
Enhance your organization's cybersecurity with Tripwire Enterprise! Explore our advanced security and compliance management solution now to protect your valuable assets and data.