A hot potato: US intelligence agency NSA and America's Cyber Defense Agency, CISA, have released a new joint advisory on urgent cyber-security matters. The two organizations are highlighting what's wrong with software and IT configurations throughout several US government levels, while providing advice for both customers and manufacturers.
After recent warnings about the "BlackTech" threat against Cisco routers, the NSA and CISA have released a new joint advisory on the ten "top cyber misconfigurations" which are enabling intrusions and security incidents. The advisory states that Red (attack simulations) and blue (IT system analysis) teams from the two US agencies have worked over the "past several years," to assess organizations and identify the most common issues with IT configurations.
NSA and CISA analysts spent years trying to understand how malicious actors can gain access, move laterally, and "target sensitive systems or information" in both the federal and local levels of US government authorities. They probed "many networks" belonging to the Department of Defense (DoD), Federal Civilian Executive Branch, state, local, tribal, and territorial (SLTT) governments, as well as the private sector hunting for misconfiguration issues.
The official advisory lists the following 10 most common network misconfigurations detected by NSA and CISA red and blue teams:
- Default configurations of software and applications
- Improper separation of user/administrator privileges
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch and update management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
These misconfigurations illustrate a dangerous trend of "systemic weaknesses in many large organizations," the advisory continues, including those with mature "cyber postures." For this reason, the NSA and CISA are encouraging network "defenders" and IT admins to implement the recommendations and mitigations included in the advisory, thus reducing the risks of being successfully targeted by cyber-criminals and APT actors.
The advisory states that IT admins should remove default credentials and harden configurations, disable unused services, and implement strong access controls. Furthermore, regular and automated patching practices should be implemented, especially for known exploited vulnerabilities. Administrative accounts and privileges should be reduced, restricted, monitored and regularly audited as well.
CISA is also highlighting "urgent" IT practices that software manufacturers must adopt to minimize the prevalence of security misconfigurations, including the elimination of default passwords, a security-by-design approach to software development, providing "high-quality audit logs" to customers free of charge, making multifactor authentication (MFA) a default rather than an optional feature, and more. The agency is also promoting its recently launched 'Secure Our World' national campaign, which illustrates simple yet effective ways for people to protect themselves, their families and businesses from online threats.