US cyberdefense agencies NSA and CISA disclose top 10 security misconfigurations

Alfonso Maruccia

Posts: 910   +280
Staff
A hot potato: US intelligence agency NSA and America's Cyber Defense Agency, CISA, have released a new joint advisory on urgent cyber-security matters. The two organizations are highlighting what's wrong with software and IT configurations throughout several US government levels, while providing advice for both customers and manufacturers.

After recent warnings about the "BlackTech" threat against Cisco routers, the NSA and CISA have released a new joint advisory on the ten "top cyber misconfigurations" which are enabling intrusions and security incidents. The advisory states that Red (attack simulations) and blue (IT system analysis) teams from the two US agencies have worked over the "past several years," to assess organizations and identify the most common issues with IT configurations.

NSA and CISA analysts spent years trying to understand how malicious actors can gain access, move laterally, and "target sensitive systems or information" in both the federal and local levels of US government authorities. They probed "many networks" belonging to the Department of Defense (DoD), Federal Civilian Executive Branch, state, local, tribal, and territorial (SLTT) governments, as well as the private sector hunting for misconfiguration issues.

The official advisory lists the following 10 most common network misconfigurations detected by NSA and CISA red and blue teams:

  • Default configurations of software and applications
  • Improper separation of user/administrator privileges
  • Insufficient internal network monitoring
  • Lack of network segmentation
  • Poor patch and update management
  • Bypass of system access controls
  • Weak or misconfigured multifactor authentication (MFA) methods
  • Insufficient access control lists (ACLs) on network shares and services
  • Poor credential hygiene
  • Unrestricted code execution

These misconfigurations illustrate a dangerous trend of "systemic weaknesses in many large organizations," the advisory continues, including those with mature "cyber postures." For this reason, the NSA and CISA are encouraging network "defenders" and IT admins to implement the recommendations and mitigations included in the advisory, thus reducing the risks of being successfully targeted by cyber-criminals and APT actors.

The advisory states that IT admins should remove default credentials and harden configurations, disable unused services, and implement strong access controls. Furthermore, regular and automated patching practices should be implemented, especially for known exploited vulnerabilities. Administrative accounts and privileges should be reduced, restricted, monitored and regularly audited as well.

CISA is also highlighting "urgent" IT practices that software manufacturers must adopt to minimize the prevalence of security misconfigurations, including the elimination of default passwords, a security-by-design approach to software development, providing "high-quality audit logs" to customers free of charge, making multifactor authentication (MFA) a default rather than an optional feature, and more. The agency is also promoting its recently launched 'Secure Our World' national campaign, which illustrates simple yet effective ways for people to protect themselves, their families and businesses from online threats.

Permalink to story.

 
I wish they were less vague and more like "If you're using an Active Directory domain than the most common misconfiguration is that systems administrators are using their domain/enterprise admin accounts as their daily drivers", instead of being super vague about "Improper separation of user/administrator privileges".

Let's get some real examples out there.
 
I wish they were less vague and more like "If you're using an Active Directory domain than the most common misconfiguration is that systems administrators are using their domain/enterprise admin accounts as their daily drivers", instead of being super vague about "Improper separation of user/administrator privileges".

Let's get some real examples out there.


You know more than me - but perusing this list - anyone in charge of large organization should know this stuff inside out , backwards and forwards . But yes if a bit more than causal interest some breakdown would be nice

Someone taking a six month night class - might now think they know all they need to know to be incharge at company - and it will now be safe as
Imagine in reality 5 years plus in company specialising in it - going in cleaning up etc - you could command a very good salary - you know how to minimise loss audit , protect , tools etc
 
On the consumer end, Snowden's PRISM leaks suggest a security risk using any proprietary operating system, software or hardware (think Intel ME), be it desktop or mobile. It is very likely there are NSA backdoors built into everything. That may not concern you at least until a bad actor discovers and takes advantage of one...

The obvious choice is to use Linux, however that doesn't eliminate backdoors within hardware firmware.


Options to explore:
Pine64 - Community designed open source hardware running Linux including laptops and phones. Reasonably priced but very low performance and poor battery life.

Purism - Similar to Pine64 but an actual business with employees running development. Much more expensive and not much better performance on the phone side.

System76 - Linux gaming desktops and laptops, some with Intel ME disabled. Performance is great, but overpriced.

Protectli - Open source routers/mini PCs with Coreboot and an option to disable Intel ME. Performance is great, but overpriced.

Beyond that you can install Coreboot and disable Intel ME on a lot of older hardware. For newer hardware Dasharo has released Coreboot firmware for MSI PRO Z690-A and MSI PRO Z790-P allowing Intel ME to be disabled. Be prepared for compatibility issues and missing BIOS options.


Essentially all options are less than ideal. It really depends how concerned you are with your own security and privacy. I'm not overly concerned, it's more a matter of principle and I enjoy experimenting with and setting up different hardware/software.
 
Back