Security misconfigurations occur when systems or applications are not correctly set up, leaving them vulnerable to potential security threats. According to OWASP, approximately 90% of the applications they assessed exhibited some form of misconfiguration, and it is also positioned at number 5 in the top 10 vulnerabilities list.
It is imperative to promptly rectify security misconfigurations, as they can lead to severe security breaches, including unauthorized access to sensitive information or unauthorized control over systems and networks. Identifying misconfigurations and vulnerabilities is often one of the initial observations made by threat actors during their initial reconnaissance of an organization.
In a recent advisory, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have unveiled a list of the ten most prevalent cybersecurity misconfigurations that their red and blue teams have consistently encountered within the expansive networks of large organizations. The advisory highlights these vulnerabilities and delves into the tactics, techniques, and procedures (TTPs) utilized by threat actors to exploit them successfully.
Top 10 Misconfigurations
The insights featured in the report stem from exhaustive assessments and incident response activities carried out by the adept Red and Blue teams of these two agencies. These evaluations have spanned a spectrum of networks, ranging from the Department of Defense (DoD) to the Federal Civilian Executive Branch, state, local, territorial governments, and the private sector. Consequently, they have underscored the alarming prevalence of misconfigurations such as default credentials, service permissions, and inadequately configured software and applications.
The top ten common cybersecurity misconfigurations are as follows:
- Default configurations of software and applications: This is the most common misconfiguration that can leave your system vulnerable to exploitation if not properly customized; threat actors try default credentials first to infiltrate.
- Improper separation of user/administrator privilege: Failing to separate user and administrator privileges can open the door to unauthorized access and misuse.
- Insufficient internal network monitoring: A lack of comprehensive internal network monitoring may leave you unaware of suspicious activities happening within your network.
- Lack of network segmentation: Not segmenting your network can result in an interconnected environment, making it easier for attackers to move laterally.
- Poor patch management: Ineffective patch management can leave known vulnerabilities unaddressed, making your systems a prime target for exploitation.
- Bypass of system access controls: Allowing the bypassing of system access controls can grant unauthorized individuals entry to sensitive areas of your network.
- Weak or misconfigured multifactor authentication (MFA) methods: Inadequate MFA measures can undermine the effectiveness of this crucial security layer.
- Insufficient access control lists (ACLs) on network shares and services: Failing to implement robust ACLs can expose critical data to unauthorized users.
- Poor credential hygiene: Neglecting proper credential management involves inadequate password practices that can compromise your system’s security.
- Unrestricted code execution: Allowing unrestricted code execution can permit malicious code to run freely on your system, posing a significant threat.
These misconfigurations are not isolated incidents but emblematic of systemic vulnerabilities within the networks of numerous large organizations.
To mitigate these pervasive misconfigurations effectively, NSA and CISA endorse the implementation of specific measures:
- Mitigating Default Configurations of Software and Applications: Customize default configurations, change or disable default usernames and passwords, and ensure secure settings before deployment.
- Mitigating Improper Separation of User/Administrator Privilege: Implement least privilege principles, audit user accounts, and restrict privileged account usage.
- Mitigating Insufficient Internal Network Monitoring: Establish baselines, audit access and use, and implement SIEM systems.
- Mitigating Lack of Network Segmentation: Use next-gen firewalls, segment networks, and employ VPC instances for cloud systems.
- Mitigating Poor Patch Management: Maintain efficient patch management, prioritize patching, automate updates, and segment networks for vulnerable systems. You can see vulnerabilities on your assets and receive alerts with our Attack Surface Module and may adjust your patch management accordingly.
Moreover, you can also follow the vendors and third party organizations within your Supply Chain via the SOCRadar platform and be informed of potential incidents and vulnerabilities.
- Mitigating Bypass of System Access Controls: Limit credential overlap, implement effective patch management, enable PtH mitigations, and restrict workstation-to-workstation communications.
- Mitigating Weak or Misconfigured MFA Methods: Disable legacy protocols, use strong passphrases for smart cards, and enforce phishing-resistant MFA.
- Mitigating Insufficient ACLs on Network Shares and Services: Implement secure configurations, apply least privilege, and enable security settings.
- Mitigating Poor Credential Hygiene: Follow NIST guidelines, avoid password reuse, use strong passphrases, and enforce adequate password length. You may also use SOCRadar – Digital Risk Protection to be notified in case of a credential leak.
- Mitigating Unrestricted Code Execution: Prevent running untrusted applications, use application control tools, block vulnerable drivers, and constrain scripting languages.
For the complete text of these mitigations, please visit CISA’s advisory.