The CISA and NSA jointly released a list of the top 10 cybersecurity misconfigurations. The report’s executive summary concludes: “These most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise.”
The number one misconfiguration is the use of default configurations of software and applications. Default configurations are the out-of-the-box settings on many types of hardware (think routers, printers, security cameras.) For example, the default configuration of a web browser might include a long list of enabled plugins and extensions. These plugins and extensions can add features and functionality to the browser but also introduce security risks. Organizations need to make lateral movement much more difficult for hackers. There are still too many systems where a breach in one weak spot can be exploited network wide. CISA says that mitigating these weaknesses begins in these two areas:
- Fortifying user education and staff training
- Software manufacturers need to eliminate inherent misconfiguration issues
Techniques businesses should focus on
The CISA report offers numerous mitigation techniques for businesses. Implement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols.
The rest of the CISA/NSA list of misconfigurations includes:
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multi-factor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
Poor credential hygiene to be a huge problem, which is a tougher one to combat because so much of it is human behavior based. Some of the poor credential hygiene practices include:
- Reusing passwords across multiple accounts
- Using weak or easily guessable passwords
- Sharing passwords with others
- Writing down passwords or storing them in insecure locations
- Not using MFA
The CISA emphasizes the importance of these common misconfigurations. These assessments have shown how common misconfigurations place every business at risk. Protect yourself and your business by improving your cyber security and providing training for good cyber hygiene. Contact us at Access Tech where we have been helping companies for years solidify their security.