Top 10 Cybersecurity Misconfigurations Uncovered by NSA and CISA

In a recent revelation, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have shed light on the ten most common cybersecurity misconfigurations that have been identified by their red and blue teams during assessments of large organizations’ networks.

This advisory also delves into the tactics, techniques, and procedures (TTPs) employed by threat actors to exploit these misconfigurations, with objectives ranging from gaining access to sensitive information to targeting vital systems.

The valuable insights presented in this report have been gathered through rigorous assessments and incident response activities conducted by the Red and Blue teams of both agencies. These evaluations span a wide spectrum, including the networks of the Department of Defense (DoD), Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, as well as the private sector.

The discoveries made during these assessments underscore the alarming prevalence of common misconfigurations, such as default credentials, service permissions, and configurations of software and applications.

Other notable vulnerabilities include improper separation of user/administrator privilege, insufficient internal network monitoring, poor patch management, and the bypassing of system access controls.

Top 10 Cybersecurity Misconfigurations

Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, emphasized the gravity of these misconfigurations, stating that they place every American at risk. The top ten misconfigurations highlighted by NSA and CISA’s teams are as follows:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

As elucidated in the joint advisory, these common misconfigurations reveal systemic vulnerabilities within the networks of numerous large organizations. This emphasizes the crucial need for software manufacturers to adopt secure-by-design principles to mitigate the risk of compromise.

Rob Joyce, a prominent figure in the field of cybersecurity, endorsed the call for proactive practices among software manufacturers. These practices include integrating security controls into the product architecture from the initial stages of development and throughout the software development lifecycle.

Furthermore, the discontinuation of default passwords and safeguarding individual security controls to prevent the compromise of entire systems is vital. Eliminating whole categories of vulnerabilities, such as adopting memory-safe coding languages and implementing parameterized queries, is also advocated.

Goldstein stressed the importance of mandating multifactor authentication (MFA) for privileged users and making it a standard practice, rather than an optional choice.

To counter these common misconfigurations, NSA and CISA advise network defenders to implement several recommended mitigation measures, including:

• Eliminating default credentials and hardening configurations
• Deactivating unused services and implementing stringent access controls
• Ensuring regular updates and automating the patching process, with a focus on known vulnerabilities that have been exploited
• Reducing, restricting, auditing, and closely monitoring administrative accounts and privileges

In addition to these measures, NSA and CISA encourage organizations to test and validate their security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. The two federal agencies also recommend testing existing security controls inventory to assess their effectiveness against the ATT&CK techniques outlined in the advisory.