The Urgent Call for Action: Identifying the Top 10 Cybersecurity Misconfigurations Threatening Organizations

Network Security Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA

October 6, 2023

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly issued a warning to network defenders and software developers regarding the top ten cybersecurity misconfigurations that they have observed. These misconfigurations are seen across various large organizations, including those with mature security postures, and highlight systemic weaknesses in their security practices. CISA and the NSA emphasize the importance of adopting secure-by-design principles during the software development process to mitigate these misconfigurations.

Identifying the Top Ten Misconfigurations

CISA and the NSA have identified the following as the most common network misconfigurations:

1. Default software configurations
2. Improper separation of privileges
3. Lack of network segmentation
4. Insufficient network monitoring
5. Poor patch management
6. Bypass of access controls
7. Poor credential hygiene
8. Improper multi-factor authentication (MFA) methods
9. Insufficient access control lists (ACLs) on network shares
10. Unrestricted code execution

These misconfigurations were identified after years of assessing the security posture of over 1,000 network enclaves within the Department of Defense (DoD), federal agencies, and US government agencies. While the assessments primarily focused on Windows and Active Directory environments, CISA and the NSA note that similar misconfigurations may exist in environments containing other software.

Mitigating the Misconfigurations

CISA and the NSA recommend a number of mitigations for these misconfigurations. Software developers should embrace secure-by-design and secure-by-default tactics, which involve embedding security controls into product architecture throughout the entire software development lifecycle (SDLC), removing default passwords, delivering high-quality audit logs to customers, and requiring phishing-resistant MFA.

Network security teams, with proper training and funding, can implement the following mitigations:

• Removing default credentials
• Hardening configurations
• Disabling unused services
• Implementing access controls
• Implementing strong patch management
• Auditing and restricting administrative accounts and privileges

CISA and the NSA note that by implementing these mitigations and reducing the prevalence of these misconfigurations, software developers can help alleviate the burden on network defenders.

Aligning with Industry Standards

The mitigations recommended by CISA and the NSA align with the Cross-Sector Cybersecurity Performance Goals (CPGs) published by CISA and the National Institute of Standards and Technology (NIST) last year. They also align with the secure-by-design and secure-by-default development principles published by the agencies earlier this year.

CISA and the NSA further recommend that organizations test and validate their security programs against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. They should also test their security controls inventory against the ATT&CK techniques.

Conclusion

CISA and the NSA emphasize the importance of addressing these common cybersecurity misconfigurations to protect networks, sensitive information, and critical missions. They urge organizations to learn from the weaknesses identified in other assessments and to implement the recommended mitigations properly.

It is essential for both software developers and network defenders to work together in implementing secure-by-design principles and reducing the prevalence of these misconfigurations. Organizations should invest in proper training and funding for network security teams to ensure that these mitigations are effectively implemented. By doing so, organizations can significantly enhance their cybersecurity posture.

Overall, this warning from CISA and the NSA serves as a reminder of the ongoing need for robust cybersecurity practices and highlights the importance of proactive measures to address common misconfigurations.