Two leading US government security agencies have shared the top 10 most common cybersecurity misconfigurations, in a bid to improve baseline security among public and private sector organizations.
The report from the NSA and Cybersecurity and Infrastructure Security Agency (CISA) was compiled from their red and blue team assessments, as well agency hunt and incident response team activities across government and private sector organizations.
“These most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise,” the agencies noted.
“Some of the misconfigurations mentioned in the CSA include default configurations of software and applications, weak or misconfigured multifactor authentication (MFA) methods, and unrestricted code execution.”
Read more on misconfiguration: Misconfiguration Accounts for 82% of Security Vulnerabilities.
Top 10 Common Misconfigurations
The list in full is as follows:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
The report also contains a long and useful list of mitigations for both network defenders and software manufacturers, which the government hopes will help to improve cybersecurity across the nation.
“The misconfigurations described above are all too common in assessments and the techniques listed are standard ones leveraged by multiple malicious actors, resulting in numerous real network compromises,” the report concluded.
“Learn from the weaknesses of others and implement the mitigations above properly to protect the network, its sensitive information, and critical missions.”
The question is whether organizations, especially in the private sector, will have the time and resource to prioritize such efforts at a time when budgets are coming under pressure.