The National Security Agency (NSA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), have released the ten most common cybersecurity misconfigurations in large organizations.
In their cybersecurity advisory (CSA from the cybersecurity advisory), in addition to misconfigurations they detail the techniques and procedures (TTPs) that malicious users use to exploit these misconfigurations.
Through her team ratings NSA and CISA Red and Blue, as well as through the activities of the NSA and CISA Hunt and Incident Response teams, the services they identified the following 10 most common network misconfigurations:
1. Default software and application configurations
2. Incorrect separation of user/admin rights
3. Inadequate internal network monitoring
4. Lack of network segmentation
5. Poor update management
6. Bypassing system access controls
7. Weak or incorrect multi-factor authentication (MFA) methods.
8. Inadequate access control lists (ACLs) on shares data and network services
9. Poor credential hygiene
10. Unlimited code execution
NSA and CISA encourage IT professionals involved in networks implement the recommendations found in the Mitigations section (mitigation) in the paper published by:
- Remove default credentials and harden settings.
- Disable unused services and implement access controls.
- Update regularly and automate updates, prioritizing fixing known vulnerabilities.
- Reduce, limit and control all accounts that have administrative privileges.
The NSA and CISA on the other hand urge software manufacturers to take responsibility for improving their customers' security outcomes by adopting secure tactics plannings by default, such as:
- Integrating security controls into the product architecture from the beginning of development and throughout the software development life cycle (SDLC)
- Eliminate default passwords.
- High supply quality audit logs to customers at no additional charge.
- Default use of MFA, ideally resistant to phishing, for non-revocable privileged users
You can download one PDF version from here