Recently, the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the National Security Agency (NSA) unveiled a comprehensive report elucidating the most common cybersecurity misconfigurations within vast organizational frameworks. The report delved into the myriad ways malevolent actors exploit these oversights—strategically, technically, and procedurally—to accomplish objectives such as gaining access, lateral movements, pinpointing sensitive information or systems, and more.
The report’s empirical data is gleaned from cybersecurity assessments and incident response endeavors undertaken by the Red and Blue teams of both NSA and CISA across various organizational entities. From this meticulous analysis emerge the ten most common cybersecurity misconfigurations:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
Such blunders have bequeathed systemic vulnerabilities and potential attack avenues to numerous large-scale entities, inclusive of those with a well-established cybersecurity posture. This underscores the imperative for software developers to internalize secure design principles—ensuring security by design, default strategies, and policies become integral to their developmental practice, thereby diminishing the ubiquity of such errors and fortifying client security postures.
Conclusively, for cybersecurity teams endowed with apt training, resourcing, and fiscal backing, the NSA and CISA propound the following mitigation strategies:
- Eradicate default credentials and fortify configurations.
- Disable redundant services and enforce access controls.
- Periodically update and autonomously patch, prioritizing known exploitable vulnerabilities.
- Curtail, restrict, audit, and monitor administrative accounts and privileges.
Furthermore, the NSA and CISA fervently advise software developers to:
- Infuse security controls into product architectures from inception and consistently throughout the Software Development Life Cycle (SDLC).
- Abolish default passwords.
- Proffer complimentary high-caliber audit logs to clients.
- Mandate privileged users to employ MFA (ideally resistant to phishing exploits) and designate MFA as a default rather than an elective feature.
