Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







Joint NSA-CISA Advisory on Top Misconfigurations

Executive Summary

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to release a comprehensive cybersecurity advisory (CSA) to improve baseline security among public and private sector organizations. The advisory addresses prevalent cybersecurity misconfigurations in large organizations. It provides details on the tactics, techniques, and procedures (TTPs) that actors use to exploit these misconfigurations, along with recommended mitigations for each misconfiguration.

This joint effort draws upon insights gained from red and blue team assessments, as well as the activities of NSA and CISA Hunt and Incident Response teams across both government and private sector organizations.

The report underscores the critical need for enhanced cybersecurity measures, particularly in the face of systemic weaknesses observed in many large organizations.

It emphasizes the importance of adopting secure-by-design principles by software manufacturers to reduce the risk of security compromises.

Top 10 Misconfigurations in the Advisory:
  1. Default configurations of software and applications: Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include default credentials and default service permissions and configurations settings.
  2. Improper separation of user/administrator privilege: Administrators often assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures.
  3. Insufficient internal network monitoring: Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging. These insufficient configurations could lead to undetected adversarial compromise. Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.
  4. Lack of network segmentation: Network segmentation separates portions of the network with security boundaries. Lack of network segmentation leaves no security boundaries between the user, production, and critical system networks. Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques
  5. Poor patch management: Poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes: Lack of regular patching, and use of unsupported operating systems and outdated firmware.
  6. Bypass of system access controls: A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment.
  7. Weak or misconfigured multifactor authentication (MFA) methods:
    • Misconfigured smart cards or tokens: Some networks (generally government or DoD networks) require accounts to use smart cards or tokens. Multifactor requirements can be misconfigured so the password hashes for accounts never change. If the password hash never changes, once a malicious actor has an account’s password hash, the actor can use it indefinitely, via the PtH technique for as long as that account exists.
    • Lack of phishing-resistant MFA Some forms of MFA are vulnerable to phishing, “push bombing”, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or “SIM swap” techniques. These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems.
  8. Insufficient access control lists (ACLs) on network shares and services: Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives.
  9. Poor credential hygiene: Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes: Easily crackable passwords, and cleartext password disclosure.
  10. Unrestricted code execution: If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network.
Key Highlights from the Advisory

Common Misconfigurations:

The CSA highlights the ten most common cybersecurity misconfigurations in large organizations listed above.

Mitigations:

The report provides a comprehensive list of mitigations aimed at improving cybersecurity for both network defenders and software manufacturers. These recommendations include removing default credentials, hardening configurations, disabling unused services, implementing access controls, regular and automated patching, prioritizing patching of known vulnerabilities, and auditing and monitoring administrative accounts and privileges.

Responsibilities of Network Defenders:

The NSA and CISA encourage organizations to take proactive steps to enhance their cybersecurity posture by implementing the recommended mitigations. Well-trained and adequately staffed network security teams are urged to lead these efforts.

Role of Software Manufacturers:

Software manufacturers are called upon to prioritize security in their product development lifecycle. They should incorporate secure-by-design and -default principles, eliminate default passwords, provide high-quality audit logs, and mandate phishing-resistant multifactor authentication (MFA) as a default feature, particularly for privileged users.

Challenges Ahead:

The advisory acknowledges that implementing these cybersecurity measures may be challenging for organizations, especially in the private sector, as they grapple with budget constraints and resource limitations. However, the report emphasizes the urgency of addressing these vulnerabilities to safeguard sensitive information and critical missions.

In conclusion, the joint NSA and CISA cybersecurity advisory serves as a crucial resource for organizations seeking to enhance their cybersecurity defenses. By taking heed of the common misconfigurations and implementing the recommended mitigations, both public and private sector entities can contribute to a more secure digital landscape.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00