NSA and CISA Unveil Top 10 Cybersecurity Misconfigurations

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a report highlighting the ten most common cybersecurity misconfigurations discovered in the networks of large organizations.

These findings shed light on the vulnerabilities that threat actors exploit to gain unauthorized access, move laterally, and target sensitive information or systems.

The information presented in this advisory is the result of extensive assessments and incident response activities carried out by the NSA and CISA Red and Blue teams.

These teams have evaluated the security posture of networks across various sectors, including the Department of Defense, Federal Civilian Executive Branch, state, local, tribal, and territorial governments, as well as the private sector.

These misconfigurations include issues such as default software and application settings, improper separation of user and administrator privileges, insufficient internal network monitoring, and poor patch management.

The top ten misconfigurations identified during these assessments and incident response efforts are as follows:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

The advisory underscores that these misconfigurations reveal systemic vulnerabilities within the networks of numerous large organizations. To address this issue, it is essential for software manufacturers to adopt secure-by-design principles to mitigate the risk of compromise.

Additionally, manufacturers should stop using default passwords and ensure that compromising a single security control does not jeopardize the entire system’s integrity. Taking proactive measures to eliminate whole categories of vulnerabilities, such as utilizing memory-safe coding languages or implementing parameterized queries, is also emphasized.

Furthermore, mandating multifactor authentication (MFA) for privileged users and making MFA a default feature rather than an optional choice is important.

In addition to these recommendations, the NSA and CISA encourage network defenders to implement the suggested mitigation measures to reduce the risk of attackers exploiting these common misconfigurations. They also advise testing existing security controls inventory to assess their performance against the ATT&CK techniques described in the advisory.