Top 10 Security Misconfigurations From NSA & CISA

The US security agencies CISA & NSA have shared the top 10 most common cybersecurity misconfigurations in a bid to improve baseline security among public and private sector organizations.

The report was compiled from their red and blue team assessments, as well agency hunt and incident response team activities across government and private sector organizations.

“These most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise,” the agencies noted.

Some of the misconfigurations mentioned in the CSA include default configurations of software and applications, weak or misconfigured MFA methods, and unrestricted code execution.

Top 10 Common Misconfigurations 

The list in full is as follows:

• Default configurations of software and applications
• Improper separation of user/administrator privilege
• Insufficient internal network monitoring
• Lack of network segmentation
• Poor patch management
• Bypass of system access controls
• Weak or misconfigured multifactor authentication (MFA) methods
• Insufficient access control lists (ACLs) on network shares and services
• Poor credential hygiene
• Unrestricted code execution

The report also contains a long and useful list of mitigations for both network defenders and software manufacturers, which the government hopes will help to improve cybersecurity across the nation.

Mitigation Advices

To mitigate these pervasive misconfigurations effectively, NSA and CISA endorse the implementation of specific measures:

1. Mitigating Default Configurations of Software and Applications: Customize default configurations, change or disable default usernames and passwords, and ensure secure settings before deployment.
2. Mitigating Improper Separation of User/Administrator Privilege: Implement least privilege principles, audit user accounts, and restrict privileged account usage.
3. Mitigating Insufficient Internal Network Monitoring: Establish baselines, audit access and use, and implement SIEM systems.
4. Mitigating Lack of Network Segmentation: Use next-gen firewalls, segment networks, and employ VPC instances for cloud systems.
5. Mitigating Poor Patch Management: Maintain efficient patch management, prioritize patching, automate updates, and segment networks for vulnerable systems. You can see vulnerabilities on your assets and receive alerts with our Attack Surface Module and may adjust your patch management accordingly.
6. Mitigating Bypass of System Access Controls: Limit credential overlap, implement effective patch management, enable PtH mitigations, and restrict workstation-to-workstation communications.
7. Mitigating Weak or Misconfigured MFA Methods: Disable legacy protocols, use strong passphrases for smart cards, and enforce phishing-resistant MFA.
8. Mitigating Insufficient ACLs on Network Shares and Services: Implement secure configurations, apply least privilege, and enable security settings.
9. Mitigating Poor Credential Hygiene: Follow NIST guidelines, avoid password reuse, use strong passphrases, and enforce adequate password length. You may also use SOCRadar – Digital Risk Protection to be notified in case of a credential leak.
10. Mitigating Unrestricted Code Execution: Prevent running untrusted applications, use application control tools, block vulnerable drivers, and constrain scripting languages.

For the complete text of these mitigations, please visit CISA’s advisory.