The US cybersecurity agency CISA and the NSA have issued new guidance on addressing the most common cybersecurity misconfigurations in large organizations.
Impacting many organizations, including those that have achieved a mature security posture, these misconfigurations illustrate a trend of systemic weaknesses and underline the importance of adopting secure-by-design principles during the software development process, CISA and the NSA note.
The ten most common network misconfigurations, the two agencies say, include default software configurations, improper separation of privileges, lack of network segmentation, insufficient network monitoring, poor patch management, bypass of access controls, poor credential hygiene, improper multi-factor authentication (MFA) methods, insufficient access control lists (ACLs) on network shares, and unrestricted code execution.
These misconfigurations, CISA and the NSA note, were identified after years of assessing the security posture of more than 1,000 network enclaves within the Department of Defense (DoD), federal agencies, and US government agencies.
Many of the assessments focused on Windows and Active Directory environments and the newly published guidance focuses on mitigations for the weaknesses identified in them. However, environments containing other software may have similar misconfigurations, the two agencies say.
By implementing secure-by-design principles and reducing the prevalence of these weaknesses, CISA and the NSA note, software developers can reduce the burden on network defenders.
The two agencies also point out that, with proper training and funding, network security teams can implement mitigations for these weaknesses, by removing default credentials, hardening configurations, disabling unused services, implementing access controls, implementing strong patching management, and through auditing and restricting administrative accounts and privileges.
Secure-by-design and secure-by-default tactics that software manufactures should embrace, the US agencies say, include embedding security controls into product architecture throughout the entire software development lifecycle (SDLC), removing default passwords, delivering high-quality audit logs to customers, and requiring phishing-resistant MFA.
The mitigations recommended by CISA and the NSA align with the CISA and NIST-developed Cross-Sector Cybersecurity Performance Goals (CPGs) published last year and with the secure-by-design and secure-by-default development principles published earlier this year.
In addition to applying these mitigations, CISA and the NSA recommend that organizations test and validate their security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework, and that they test their security controls inventory against the ATT&CK techniques.
“The misconfigurations described are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises. Learn from the weaknesses of others and implement the mitigations properly to protect the network, its sensitive information, and critical missions,” CISA and the NSA say.
Related: CISA, NSA Publish Guidance on IAM Challenges for Developers, Vendors
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative
Related: CISA Releases New Identity and Access Management Guidance
