The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have teamed up to release a comprehensive joint cybersecurity advisory, shedding light on the most prevalent cybersecurity misconfigurations that tend to plague large organizations. This article delves deeper into these common misconfigurations and provides a detailed understanding of each, along with recommended mitigation strategies for your organization to implement.
Default software configurations: Default software configurations can pose security risks, as they may contain vulnerabilities and overly permissive settings. To mitigate these risks, change or disable default usernames and passwords, secure ADCS settings, review template permissions, and assess the necessity of LLMNR/NetBIOS.
Improper user/administrator privilege separation: Assigning multiple roles to a single account can lead to undetected access to various resources if compromised. To enhance cybersecurity, use authentication, authorization, and accounting systems, audit user accounts regularly, limit privileged account usage, and restrict domain users in local admin groups. Additionally, employ non-admin accounts for daemonized apps and configure service accounts with minimal permissions.
Insufficient internal network monitoring: Poor sensor configurations can go unnoticed and hinder data collection for baselines and timely threat detection. To address this, establish application and service baselines, regularly audit access, develop an organization-wide baseline for traffic, network, host, and user activity, employ auditing tools for privilege and service abuse detection, and implement a security information and event management system.
Lack of network segmentation: Without network segmentation security, malicious actors can move freely across systems, posing a ransomware and post-exploitation threat. To mitigate this, use next-gen firewalls for deep packet inspection, segment the network to isolate critical assets, and employ separate virtual private cloud instances for essential cloud systems.
Poor patch management: To prevent security vulnerabilities, maintain up-to-date software through efficient patch management. Automate updates, segment networks to reduce exposure, cease unsupported hardware and software usage, and patch firmware against known vulnerabilities.
The bypassing of system access controls: Avoid using the same credentials across different systems. Implement PtH mitigations and restrict domain users from being local administrators on multiple systems to enhance security.
Weak or misconfigured multifactor authentication (MFA): Improperly configured multifactor authentication can lead to unchanging password hashes, posing a risk in Windows environments. Disable legacy authentication protocols and enforce modern, phishing-resistant MFA using open standards for enhanced network security.
Insufficient access control lists (ACLs) on network shares and services: Data shares and repositories are prime targets for malicious actors due to improperly configured ACLs. Prevent unauthorized access by securing storage devices and network shares, employing the principle of least privilege, setting restrictive permissions, and enabling the “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” Group Policy setting in Windows. Also, apply strict permissions to files and folders with sensitive private keys.
Poor credential hygiene: To prevent cyber-attacks, maintain good credential hygiene by following NIST’s password policies, using strong, unique passwords, avoiding password reuse, using strong passphrases for private keys, storing passwords securely, reviewing for cleartext credentials, and considering group-managed service accounts or third-party software for password storage.
Unrestricted code execution: Restrict unverified programs, use application control tools, limit scripting languages, and regularly review and update border and host-level protections to block malware effectively.
Additional Mitigation Strategies
It is highly recommended by CISA and NSA that organizations continuously exercise, test, and validate their security programs in a production environment. Regular testing ensures that the security measures remain effective and adaptable to new threats. Additionally, organizations can learn from the vulnerabilities and shortcomings experienced by others and swiftly implement necessary mitigation measures to safeguard their networks, sensitive information, and critical missions.
Conclusion
The joint advisory from CISA and NSA provides invaluable insights into the most common cybersecurity misconfigurations and offers detailed strategies for mitigating these risks. By diligently addressing these issues and following the recommended best practices, organizations can significantly enhance their cybersecurity posture and protect against a wide range of threats.
For more risk management guidance, contact us today.