10 cyber security misconfigurations you should fix right now

Cyber security misconfigurations are a key source of risks and challenges for modern businesses. Common mistakes including poor credential management, weak multi-factor authentication (MFA) and ineffective patch management open organizations up to a range of cyber threats.

Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) released a joint cyber security advisory highlighting the 10 most common cyber security misconfigurations in large organizations, detailing the tactics, techniques and procedures (TTPs) threat actors use to exploit them.

The misconfigurations illustrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders, CISA and NSA stated.

Cyber security misconfigurations are a breeding ground for risks and threats

Cyber security misconfigurations are a common but significant breeding ground for risks and threats at a lot of organizations. “Most still forget to get the basics right, and once you build on sand, you are absolutely setting yourself up for future peril,” Paul Watts, distinguished analyst at the Information Security Forum, tells Cyber Security Hub. “Poor configurations become more difficult to detect and remediate the longer they remain in situ, which amplifies their longer-term opportunity to drive up risk within an organization.”

This fundamental root cause of security risk is not getting the level of attention and discussion it so desperately needs – and the reasons for this sit with both the business and with the security and technology teams, Watts says.

10 most common cyber security misconceptions

The 10 cyber security misconfigurations identified by CISA and NSA are foundational considerations that need to be gotten right each and every time, and while they require some organizational context to be put to best use, they do a good job of articulating the main issues faced in most organizations, says Watts. The 10 most common cyber security misconfigurations in large organizations – according to CISA and NSA – are:

1. Default configurations of software and applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include default credentials, default service permissions, and configurations settings, the advisory read.

Mitigation strategies include modifying the default configuration of applications and appliances before deployment, changing/disabling vendor-supplied default usernames and passwords of services, software, and equipment and ensuring the secure configuration of ADCS implementations.

2. Improper separation of user/administrator privilege

Administrators often assign multiple roles to one account. This can provide access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account without triggering lateral movement and/or privilege escalation detection measures, CISA/NSA said. Assessment teams observed excessive account privileges, elevated service account permissions, and non-essential use of elevated accounts among the most common account separation misconfigurations.

Mitigation strategies include implementing authentication, authorization and accounting (AAA) systems, restricting use of privileged accounts to perform general tasks, limiting the number of users within the organization with an identity and access management (IAM) role and implementing time-based access for privileged accounts.

3. Insufficient internal network monitoring

Some organizations do not optimally configure host and network sensors for traffic collection and end-host logging, CISA/NSA stated. “These insufficient configurations could lead to undetected adversarial compromise.” Additionally, improper sensor configurations limit the traffic collection capability needed for enhanced baseline development and detract from timely detection of anomalous activity.

Mitigation strategies include establishing a baseline of applications and services, using auditing tools capable of detecting privilege and service abuse opportunities and implementing a security information and event management (SIEM) system.

4. Lack of network segmentation

Network segmentation separates portions of the network with security boundaries, but a lack of network segmentation leaves no security boundaries between the user, production, and critical system networks, the advisory warned. “Insufficient network segmentation allows an actor who has compromised a resource on the network to move laterally across a variety of systems uncontested. Lack of network segregation additionally leaves organizations significantly more vulnerable to potential ransomware attacks and post-exploitation techniques.”

Mitigation strategies include implementing next-generation firewalls, engineering network segments to isolate critical systems, functions and resources and implementing separate virtual private cloud (VPC) instances.

5. Poor patch management

Vendors release patches and updates to address security vulnerabilities, but poor patch management and network hygiene practices often enable adversaries to discover open attack vectors and exploit critical vulnerabilities. A lack of regular patching and use of unsupported operating systems and outdated firmware are prime examples of poor patch management, according to CISA/NSA.

Mitigation strategies include implementing and maintaining an efficient patch management process, updating software regularly and evaluating the use of unsupported hardware and software and discontinued use.

6. Bypass of system access controls

A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. “If a malicious actor can collect hashes in a network, they can use the hashes to authenticate using non-standard means, such as pass-the-hash (PtH),” CISA/NSA wrote. By mimicking accounts without the clear-text password, an actor can expand and fortify their access without detection. Kerberoasting is one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network, the pair added.

Mitigation strategies include limiting credential overlap across systems, denying domain users the ability to be in the local administrator group, limiting workstation-to-workstation communications and using privileged accounts only on systems requiring those privileges.

7. Weak or misconfigured MFA methods

Weak and misconfigured MFA methods are common in a lot of organizations – particularly misconfigured smart cards/tokens and non-phishing-resistant MFA, CISA/NSA said. Some networks (generally government or DoD networks) require accounts to use smart cards or tokens.

“Multifactor requirements can be misconfigured so the password hashes for accounts never change. Even though the password itself is no longer used – because the smart card or token is required instead – there is still a password hash for the account that can be used as an alternative credential for authentication.” If the password hash never changes, once a malicious actor has an account’s password hash, the actor can use it indefinitely, via the PtH technique for as long as that account exists, the pair added.

Furthermore, some forms of MFA are vulnerable to phishing, push bombing, exploitation of Signaling System 7 (SS7) protocol vulnerabilities, and/or SIM swap techniques. “These attempts, if successful, may allow a threat actor to gain access to MFA authentication credentials or bypass MFA and access the MFA-protected systems.

Mitigation strategies include disabling the use of new technology LAN manager (NTLM) and other legacy authentication protocols, implementing cloud-primary authentication solutions using modern open standards and enforcing phishing-resistant MFA universally.

8. Insufficient ACLs on network shares and services

Data shares and repositories are primary targets for malicious actors. Network administrators may improperly configure ACLs to allow for unauthorized users to access sensitive or administrative data on shared drives, the advisory warned. “Actors can use commands, open source tools, or custom malware to look for shared folders and drives.”

Malicious actors can then collect and exfiltrate the data from the shared drives and folders and use the data for a variety of purposes, such as extortion of the organization or as intelligence when formulating intrusion plans for further network compromise. “Even when further access is not directly obtained from credentials in file shares, there can be a treasure trove of information for improving situational awareness of the target network, including the network’s topology, service tickets, or vulnerability scan data.”

Mitigation strategies include implementing secure configurations for all storage devices, applying the principal of least privilege, applying restrictive permissions to files and directories and setting restrictive permissions on files and folders containing sensitive private keys.

9. Poor credential hygiene

Poor credential hygiene facilitates threat actors in obtaining credentials for initial access, persistence, lateral movement, and other follow-on activity, especially if phishing-resistant MFA is not enabled. Poor credential hygiene includes easily crackable passwords and cleartext password disclosure, CISA/NSA wrote.

Mitigation strategies include following National Institute of Standards and Technologies (NIST) guidelines when creating password policies, using strong passphrases for private keys and implementing a review process for files and systems to look for cleartext account credentials.

10. Unrestricted code execution

If unverified programs are allowed to execute on hosts, a threat actor can run arbitrary, malicious payloads within a network. “For example, after a user falls for a phishing scam, the actor usually convinces the victim to run code on their workstation to gain remote access to the internal network. This code is usually an unverified program that has no legitimate purpose or business reason for running on the network,” the advisory read.

Malicious actors frequently leverage unrestricted code execution in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros to establish initial access, persistence, and lateral movement. “In addition, actors often use scripting languages to obscure their actions and bypass allowlisting. Further, actors may load vulnerable drivers and then exploit the drivers’ known vulnerabilities to execute code in the kernel with the highest level of system privileges to completely compromise the device.”

Mitigation strategies include enabling system settings that prevent the ability to run applications downloaded from untrusted sources, blocking/preventing the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode and constraining scripting languages to prevent malicious activities, audit script logs and restrict scripting languages.

We all have “part to play” in tackling cyber security misconfigurations

“We all have a part to play in driving up the quality of configuration and system management,” Watts says. “Security and technology leaders should be standing their ground and forcing the quality debate more strongly, but using the language of business rather than the language of technology to articulate the impact in terms that resonate with boardroom and business.”

When and if this debate happens, executive leadership teams need to step up and acknowledge that the technical hygiene of the organization is intrinsically linked to good business outcomes in the modern age, he adds. “If they are precipitating a culture where cutting corners in the name of earnings before interest, taxes, depreciation and amortization (EBITDA) is essentially encouraged, they are very much part of the problem and need to be more supportive of the need for better quality in this space.”

Cyber Security Hub’s upcoming webinar The top security misconfigurations to watch out for explores common cyber security misconfigurations and how to overcome them.

Get the latest insights on the cyber threat landscape

Download our 'Mid-Year State of Cyber Security Report' to learn about the current challenges that cyber security practitioners in Europe, the Middle East, Africa, and North America are facing, and discover where they are focusing their investment decisions in 2023 and beyond.

Read More