CISA Warns: Even Mature Organizations Are Still Slipping Up On The Basics
Large organizations’ cybersecurity efforts have been weighed and measured, and it appears they have still been found wanting. And back in October, CISA and the National Security Agency (NSA) released a joint advisory detailing just how much.
CISA and the NSA Issue a Warning
This warning lays out the top ten most common misconfigurations their red and blue teams have spotted. Not surprisingly, pretty much all of them are Cyber 101 basics. What’s most concerning is that their sample size draws from the Defense Industrial Base (DIB), critical infrastructure sectors, state and federal agencies, and organizations with “mature” cybersecurity strategies.
Getting Ahead of Ourselves
There’s a common trope out there that smaller businesses assume they’re too small to hack. Larger organizations face a different challenge: They focus on larger enterprise solutions and can sometimes ignore smaller “ground level” cybersecurity basics.
It’s easy to be drawn toward, say, next-generation cloud security tools and XDR deployment, which are simply much sexier than asset inventory, account privileges, password management, network visibility, and the like. But hackers know better, and they understand that in a security culture so understandably whipped up in “advanced attacker” hype, sometimes we forget the basics.
The Top Misconfigurations
It doesn’t require the whole list to get the full picture – we’re tripping over our own feet. And there are simple ways to stop that. Here are the five of the top offenders in all of their ordinary glory.
- Default configurations of software and applications | Pretty much every device or software install has default configurations, including default user accounts and permissions that utilize canned passwords. CIS Controls 4.7 warns us about leaving these accounts in place, since these credentials are easy to find via simple Googling. Basic security steps – like a policy that mandates the deletion or update of all default accounts on any device or software implementation – go a long way in defending against blatant holes like this one. (As a safety net, Nomic’s Outpost can block incoming scans and probes that search for open holes like this. Even if your systems are vulnerable, and some of them will be until your strategy is fully matured, the Outpost sits beyond the firewall at the edge of your network and hides your entire network from the view of attackers – so you don’t even have to deal with unwanted probes, communications, or malicious attempts.)
- Improper separation of user/administrator privilege | It’s all too common to see an administrator account with a multitude of unnecessary privileges, for convenience if for no other reason. However, it’s important to keep in mind that this is equally convenient for attackers. One basic solution is to practice the Principle of Least Privilege: Basically, only grant access to the specific resources a particular user requires, and nothing more. Easier said than done, but a worthy goal, for sure.
- Insufficient internal network monitoring | You can only protect as much as you can see. Most organizations have a solution for the endpoints themselves, but lack visibility into the traffic traversing the network. Tools like Nomic’s Insight provide this visibility, which can be leveraged for assessing the behavior of bad actors as they move laterally through the network. With this granularity, combined with endpoint tools, effective incident response, monitoring, and digital forensics become much more doable.
- Lack of network segmentation | This is especially a problem in critical infrastructure where old OT and new IT meet. Through forgotten or accidental “shadow” network connections, hackers can gain access to old OT networks as they get plugged into new systems, cloud-connected IoT devices, and the internet. In this and all other cases, network segmentation is critical in preventing a bad situation from getting worse.
- Poor patch management | New services get configured, applications get installed, software gets purchased, and vulnerabilities get introduced. It takes a lot to be on top of them all, especially if your vulnerability management program is still maturing. Poor patch management, including using outdated firmware or unsupported operating systems, can leave your network wide open for attackers.
If you’re curious, the rest of the Top 10 most common misconfigurations are:
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
There’s an old cliche in cybersecurity: “Hackers don’t break in, they log in.” The majority of these Top 10 items confirm that old adage, unfortunately. Unchanged default credentials combined with unchecked administrator accounts and lack of network segmentation is like leaving your house’s front door wide open and your safe unlocked. No tools required for the thief – in and out without hurting a fly.
The good news is that these easy wins go a long way in securing the network. Using CISA’s and CIS’s guidance, hopefully more organizations of all sizes won’t forget about these basics.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.