Connect with us

Hi, what are you looking for?


Network Security

Organizations Warned of Top 10 Cybersecurity Misconfigurations Seen by CISA, NSA

CISA and the NSA are urging network defenders and software developers to address the top ten cybersecurity misconfigurations.

The US cybersecurity agency CISA and the NSA have issued new guidance on addressing the most common cybersecurity misconfigurations in large organizations.

Impacting many organizations, including those that have achieved a mature security posture, these misconfigurations illustrate a trend of systemic weaknesses and underline the importance of adopting secure-by-design principles during the software development process, CISA and the NSA note.

The ten most common network misconfigurations, the two agencies say, include default software configurations, improper separation of privileges, lack of network segmentation, insufficient network monitoring, poor patch management, bypass of access controls, poor credential hygiene, improper multi-factor authentication (MFA) methods, insufficient access control lists (ACLs) on network shares, and unrestricted code execution.

These misconfigurations, CISA and the NSA note, were identified after years of assessing the security posture of more than 1,000 network enclaves within the Department of Defense (DoD), federal agencies, and US government agencies.

Many of the assessments focused on Windows and Active Directory environments and the newly published guidance focuses on mitigations for the weaknesses identified in them. However, environments containing other software may have similar misconfigurations, the two agencies say.

By implementing secure-by-design principles and reducing the prevalence of these weaknesses, CISA and the NSA note, software developers can reduce the burden on network defenders.

The two agencies also point out that, with proper training and funding, network security teams can implement mitigations for these weaknesses, by removing default credentials, hardening configurations, disabling unused services, implementing access controls, implementing strong patching management, and through auditing and restricting administrative accounts and privileges.

Secure-by-design and secure-by-default tactics that software manufactures should embrace, the US agencies say, include embedding security controls into product architecture throughout the entire software development lifecycle (SDLC), removing default passwords, delivering high-quality audit logs to customers, and requiring phishing-resistant MFA.

Advertisement. Scroll to continue reading.

The mitigations recommended by CISA and the NSA align with the CISA and NIST-developed Cross-Sector Cybersecurity Performance Goals (CPGs) published last year and with the secure-by-design and secure-by-default development principles published earlier this year.

In addition to applying these mitigations, CISA and the NSA recommend that organizations test and validate their security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework, and that they test their security controls inventory against the ATT&CK techniques.

“The misconfigurations described are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations properly to protect the network, its sensitive information, and critical missions,” CISA and the NSA say.

Related: CISA, NSA Publish Guidance on IAM Challenges for Developers, Vendors

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: CISA Releases New Identity and Access Management Guidance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...