While cybersecurity headlines are often dominated by the latest zero-day or notable vulnerability in a vendor’s software/product or open-source software library, the reality is that many significant data breaches have been and will continue to be due to misconfigurations.
To underscore the serious of this issue, the US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released their “Top 10 Cybersecurity Misconfigurations,” identified through extensive red and blue team assessments and threat hunting and incident response team activities.
If you’re like most cybersecurity professionals, many of these items should come as no surprise and may even seem “simple”, but as the saying goes, just because something is simple doesn’t mean it is easy, and in modern complex digital environments, addressing these fundamentals at scale is ever daunting.
The publication emphasizes how pervasive misconfigurations are in large organizations, even those with mature security postures, and emphasizes the need for software suppliers to take a secure-by-design or default approach, something CISA has been advocating for, publishing guidance on the topic earlier in 2024.
With that said, let’s dive into the Top 10 items CISA identifies. Also, as the publication points out, these are in no way prioritized or listed in order of significance, as each one on its own can be problematic and lead to a pathway of exploitation by attackers.
Default configurations of software and applications
One wouldn’t think in 2024 we would still be discussing the risks of insecure default configurations of software, but here we are. Issues such as default credentials, permissions, and configurations are still common attack vectors that get exploited.
For example, having default credentials in widely used commercial off-the-shelf software and products can create situations in which malicious actors can identify those default credentials and exploit systems and environments in which they remain unchanged.
These defaults are often widely known and easy to find by even the least skilled malicious actor, as they are often published by the manufacturers themselves. This can allow attackers to identify the credentials, change administrative access to something they control, and pivot from compromised devices to other networked systems.
In addition to default credentials on devices, CISA points out that services can often have overly permissive access controls and vulnerable settings by default. They specifically call out things such as insecure Active Directory Certificate Services, legacy protocols/services, and insecure Server Message Block (SMB) services.
If it seems like Microsoft has a large presence in the items listed, it is because it is also the most common among products the assessment teams encountered throughout their activities and, of course, default credentials aside, Microsoft also reigns supreme atop the CISA Known Exploited Vulnerabilities (KEV) catalog. Sometimes being first isn’t so glamorous.
Improper separation of user/administrator privilege
Despite the industry-wide buzz about things like zero-trust, which is rooted in concepts such as least-privileged access control, this weakness still runs rampant. CISA’s publication calls out excessive account privileges, elevated service accounts, and non-essential use of elevated accounts.
Anyone who has worked in IT or cyber for some time knows that many of these issues can be traced back to human behavior and the general demands of working in complex environments. Accounts tend to aggregate permissions and privileges as people rotate through different roles and tasks, and these permissions rarely if ever get cleaned up.
Sources such as the Verizon Data Breach Investigation Report have demonstrated year after year that credential compromise remains a key aspect of most data breaches, these overly permissive accounts are lying in wait, a rich target for malicious actors to abuse.
Insufficient internal network monitoring
If a tree falls in a forest and no one is around to hear it, does it make a sound? Similarly, if your network is being compromised and you lack visibility, awareness, and associated alerting, are you in a position to do anything about it? No, and no.
The CISA publication demonstrates that organizations need to have sufficient traffic collection and monitoring to ensure they can detect and respond to anomalous behavior. As discussed in the publication, it isn’t uncommon for assessment and threat-hunting teams to encounter systems with either insufficient networking and host-based logging or have it in place but not properly configured and actually monitored to be able to respond to potential incidents when they occur.
This allows malicious activity to go on unfettered and extends the dwell time of attackers in victims’ systems without detection. To bolster network monitoring and hardening the publication recommends readers check out CISA’s document “CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks.”
Lack of network segmentation
Another fundamental security control that makes an appearance is the need to segment networks, a practice again that ties to the broader push for zero trust. By failing to segment networks, organizations are failing to establish security boundaries between different systems, environments, and data types.
This allows malicious actors to compromise a single system and move freely across systems without encountering friction and additional security controls and boundaries that could impede their nefarious activities. The publication specifically calls out challenges where there is a lack of segmentation between IT and OT networks, putting OT networks at risk, which have real-world implications around security and safety in environments such as industrial control systems.
Poor patch management
Patching is everyone’s favorite activity in cybersecurity, right? The Top 10 publication points out that failing to apply the latest patches can leave a system open to being exploited by malicious actors by their targeting of known vulnerabilities.
The challenge here is even for organizations who are performing regular patching, sources such as the Cyentia Institute have pointed out that organizations’ remediation capacity, meaning their ability to remediate vulnerabilities (which includes via patching) is subpar.
Organizations on average can only remediate one out of 10 of every new vulnerabilities per month, putting them in a perpetual situation where vulnerability backlogs continue to grow exponentially and demonstrating why others such as Ponemon and Rezilion found that organizations have vulnerability backlogs ranging from several hundred thousands to millions.
Couple that with findings from Qualys on attackers’ abilities to exploit vulnerabilities around 30% faster than organizations can remediate them and it is a recipe for disaster — remember, attackers only need to be right once.
Issues cited include a lack of regular patching as well as using unsupported operating systems and firmware, meaning these items simply don’t have patches available and are no longer supported by vendors. I would personally add the need for organizations to ensure they are making use of secure open-source components and using the latest versions, which is also something that many organizations struggle with and is helping contribute to the increase in software supply chain attacks.
Bypass of system access controls
We’ve discussed the need for access controls quite a bit, but some situations allow malicious actors to bypass system access controls. The guidance specifically points out examples such as collecting hashes for authentication information such as pass-the-hash (PtH) attacks and then using that information to escalate privileges and access systems in an unauthorized manner.
Weak or misconfigured MFA methods
In this misconfiguration we again see CISA and the NSA discuss the risk of PtH-type attacks. They point out that despite the use of MFA such as smart cards and tokens on many Government/DoD networks, there is still a password hash for the account and malicious actors can use the hash to gain unauthorized access if MFA isn’t enforced or properly configured. This problem of course can exist in commercial systems as well which may be using Yubikeys or digital form factors and authentication tools.
Lack of phishing-resistant MFA
Despite the industry-wide push for multifactor authentication (MFA) for quite some time, we face the stark reality that not all MFA types are created equal. This misconfiguration and weakness points to the presence of MFA types that are not “phishing-resistant”, meaning they are vulnerable to attacks such as SIM swapping. Resources such as CISA’s fact sheet “Implementing Phishing-Resistant MFA” can help point administrators in the right direction.
Insufficient access control lists on network shares and services
It’s no secret that data is the primary thing malicious actors are after in most cases, so it isn’t a surprise to see insufficiently secured network shares and services on this list. The guidance states that attackers are using comments, OSS tooling, and custom malware to identify and exploit exposed and insecure data stores.
We of course see this occur with on-premises data stores and services and the trend has only accelerated with the adoption of cloud computing and the rampant presence of misconfigured storage services by users coupled with cheap and extensive cloud storage, letting attackers walk away with stunning amounts of data both in terms of size and individuals impacted.
The guidance also emphasizes that attackers can not only steal data but they can use it for other nefarious purposes such as intelligence gathering for future attacks, extortion, identification of credentials to abuse, and much more.
Poor credential hygiene
Credential compromise remains a primary attack vector, with sources such as Verizon’s DBIR citing compromised credentials being involved in over half of all attacks. The guidance specifically calls out issues such as easily crackable passwords or cleartext password disclosure, both of which can be used by attackers to compromise environments and organizations.
I would add that with the advent of cloud and the push for declarative infrastructure-as-code and machine identifies and authentication we’ve seen an even more explosive abuse of secrets, which often include credentials and are cited well in sources such as security vendor GitGuardian’s State of Secret Sprawl report.
This problem is also why we continue to see vendors implement secrets management capabilities into their platforms and offerings. This continues to impact even the most competent digital organizations as well, such as Samsung who saw over 6,000 secret keys exposed in their source code leak.
Unrestricted Code Execution
This one is straightforward, with the recognition that attackers are looking to run arbitrary malicious payloads on systems and networks. Unverified and unauthorized programs pose significant risks as they can execute malicious code on a system or endpoint lead to its compromise and also facilitate lateral movement or the spread of malicious software across enterprise networks.
The guidance mentions that this code can also take various forms, such as executables, dynamic link libraries, HTML applications, and even scripts in office software applications such as macros.
