The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to issue a joint cybersecurity advisory (CSA). Its purpose is to shed light on prevalent cybersecurity misconfigurations found in large organisations. The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit these misconfigurations.
By conducting rigorous assessments through the NSA and CISA Red and Blue teams, as well as leveraging the expertise of the NSA and CISA Hunt and Incident Response teams, the agencies have identified the following ten most frequent network misconfigurations:
>Default configurations of software
>Insufficient monitoring of internal networks
>Improper separation of user/administrator privilege
>Poor patch management
>Lack of network segmentation
>Bypassing system access controls
>Misconfigured multifactor authentication (MFA) methods
>Insufficient access control lists on network shares and services
>Poor credential hygiene
>Unrestricted code execution
These misconfigurations highlight two significant issues. Firstly, a widespread pattern of systemic vulnerabilities within large organisations, even those with advanced cybersecurity measures. And secondly, the critical need for software developers to adopt secure-by-design principles. These principles can alleviate the pressure on network defenders and enhance overall cybersecurity.
A well-equipped network security team, when properly trained, staffed, and funded, can apply known mitigations to address these vulnerabilities effectively. For instance, the noted cybersecurity company, Cybernetic Global Intelligence implements several measures to detect misconfiguration-led vulnerabilities. Meanwhile, software manufacturers play a pivotal role in enhancing customer security by integrating secure-by-design and default practices into their software development methodologies.
To minimize the risk of malicious exploitation stemming from these misconfigurations, the NSA and CISA recommend the implementation of specific measures. These include removing default credentials, strengthening configurations, disabling unused services, enforcing access controls, ensuring regular updates and automated patching, and prioritizing vulnerabilities that are actively exploited.
Furthermore, NSA and CISA emphasize the responsibility of software manufacturers to improve their customers’ security outcomes. They urge developers to embed security controls into their products right from the initial stages of development and sustain these efforts throughout the entire software development lifecycle. This entails eliminating default passwords, providing customers with high-quality audit logs at no additional cost, and mandating multi-factor authentication (MFA), preferably of a phishing-resistant nature, for privileged users. Making MFA a default feature rather than an opt-in choice is crucial to bolstering security measures effectively.
How to Mitigate the Misconfigurations
For Network Defenders:
NSA and CISA advocate the adoption of recommendations to mitigate the issues highlighted in the advisory. These measures are in harmony with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST). They also align with the MITRE ATT&CK Enterprise Mitigations and MITRE D3FEND frameworks.
The CPGs outline a fundamental set of practices and safeguards that the proposals by CISA and NSA must incorporate. These guidelines are rooted in existing cybersecurity frameworks and advice, safeguarding against the most prevalent and impactful threats, tactics, techniques, and procedures.
For Software Manufacturers:
NSA and CISA recommend that software manufacturers adhere to the recommendations to reduce the occurrence of misconfigurations. These strategies align with the principles outlined in the collaborative guide, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security by Design and Default.” NSA and CISA emphatically urge software manufacturers to implement these recommendations, ensuring their products are inherently secure. They should ensure the products do not necessitate additional customer resources for configuration adjustments, monitoring, or routine updates.
Validate Security Controls:
Apart from implementing mitigations, NSA and CISA suggest exercising, testing, and validating your organisation’s security program against threat behaviors delineated in the MITRE ATT&CK. NSA and CISA propose evaluating your existing security controls inventory to assess their effectiveness against the ATT&CK techniques.
To Commence This Process:
>Choose an ATT&CK technique outlined in the advisory.
>Align your security technologies with the chosen technique.
>Test your technologies against the specific technique.
>Evaluate the performance of your detection and prevention technologies.
>Repeat this procedure for all security technologies, generating comprehensive performance data.
>Adjust your security program, encompassing people, processes, and technologies, based on the insights derived from this evaluation process.
The above-mentioned misconfigurations flagged by the Red and Blue teams of NSA and CISA need to be identified and remedied. As per Ravin Prasad, CEO of Cybernetic Global Intelligence, strengthening the cybersecurity architecture of companies can help thwart cybercriminals from exploiting the system. Hence, to protect your company against vulnerabilities and misconfigurations, hire the services of premier cybersecurity companies like Cybernetic Global Intelligence.
To learn more about how to safeguard your IT infrastructure from threat vectors, call us at 1300 292 376 or send an email to firstname.lastname@example.org.