In the world of cybersecurity, the focus is often on the latest zero-day vulnerabilities or high-profile data breaches. However, a recent publication by the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) sheds light on a different aspect of cybersecurity threats – misconfigurations.
The NSA and CISA jointly released the “Top 10 Cybersecurity Misconfigurations” report, which highlights the critical role that misconfigurations play in data breaches. Despite the perception that these issues may seem simple, addressing them at scale in today’s complex digital landscape can be a daunting task.
The report emphasizes the prevalence of misconfigurations in large organizations, even those with mature security postures. It underscores the importance of adopting a secure-by-design approach, where software suppliers prioritize security from the outset. This aligns with CISA’s earlier guidance on demanding and receiving secure software.
The Top 10 list identified by CISA covers a range of misconfigurations that can be exploited by cyber attackers. These issues are not ranked in order of significance, as each one poses a unique threat and can potentially lead to a security breach.
One of the key misconfigurations highlighted in the report is default configurations of software and applications. Despite being in 2024, insecure default settings such as credentials and permissions continue to be common attack vectors. Malicious actors can easily exploit these default settings to gain unauthorized access to systems and networks.
Another critical misconfiguration highlighted in the report is the improper separation of user and administrator privileges. Excessive account privileges and sloppy management of elevated accounts create opportunities for attackers to escalate their access and compromise systems.
In addition, the report emphasizes the importance of internal network monitoring. Without adequate monitoring and alerting mechanisms in place, organizations may fail to detect suspicious activities on their networks, giving attackers free rein to operate undetected.
Network segmentation is another fundamental security control that is often overlooked. By failing to segment networks, organizations create openings for attackers to move laterally across systems and compromise sensitive data. Lack of network segmentation can also put operational technology (OT) networks at risk, with potential safety implications in industrial environments.
Poor patch management practices also feature prominently in the Top 10 list. Failing to apply timely patches leaves systems vulnerable to known vulnerabilities that can be exploited by cybercriminals. The report highlights the challenges organizations face in keeping up with patching due to issues such as remediation capacity and the use of unsupported operating systems.
Other misconfigurations identified in the report include bypass of system access controls, weak MFA methods, lack of phishing-resistant MFA, insufficient access control on network shares, poor credential hygiene, and unrestricted code execution. These vulnerabilities can be exploited by attackers to gain unauthorized access, compromise systems, and spread malware within networks.
Overall, the Top 10 Cybersecurity Misconfigurations report serves as a reminder of the importance of addressing basic security fundamentals in the fight against cyber threats. By tackling these misconfigurations, organizations can strengthen their security posture and reduce the risk of data breaches.