The CISA and NSA jointly released a list of the top 10 cybersecurity misconfigurations recently. These misconfigurations often lead to breaches and incidents that should be remedied. The report’s executive summary concludes: “These most common misconfigurations illustrate a trend of systemic weaknesses in several large organizations and the importance of software manufacturers embracing secure-by-design principles to reduce the risk of compromise,” the agencies noted.
I sat down with Rick Comer, a cybersecurity specialist in Chicago, to see how prolific these top 10 misconfigurations are in the real world. “Hopefully, none!” says Rick Comer, “MSPs are in a prime position to head off all ten issues.”
According to the report, the number one misconfiguration is the use of default configurations of software and applications.
Default configurations are the out-of-the-box settings on many types of hardware (think routers, printers, security cameras.) “These settings are typically designed to be used by most users, but they may not be the most secure or optimal settings for your client’s specific needs; MSPs should never just accept the off-the-shelf, out-of-the-box configurations,” Comer says. For example, the default configuration of a web browser might include a long list of enabled plugins and extensions. These plugins and extensions can add features and functionality to the browser but also introduce security risks.
Another example is the default configuration of a database server. “The default configuration might allow remote access to the database, which attackers could exploit,” Comer warns. CISA also cites problems like improper user/administrator privilege separation. “Administrative privileges should be given only to those who need them; people – and, yes, some MSPs – get sloppy about this sometimes, and attackers can exploit this for access,” Comer said. According to CISA, insufficient internal network monitoring is another weak spot in many security programs.
“This is just a fancy way of saying that an enterprise doesn’t have adequate tools or processes to monitor its internal network for suspicious activity. This can make it difficult to detect and respond to cyber-attacks promptly,” Comer adds that many organizations just lack the budget for such processes. “But this is where MSPs shine; 24/7 monitoring is possible for a reasonable rate,” he says. CISA says that mitigating these weaknesses begins in these two areas:
- Fortifying user education and staff training
- Software manufacturers need to eliminate inherent misconfiguration issues
Lack of proper network segmentation continues to plague networks, and the CISA report explicitly cites this. “Organizations need to make lateral movement much more difficult for hackers. There are still too many systems where a breach in one weak spot can be exploited network-wide,” Comer added, highlighting that MSPs usually have the skills and software to accomplish robust segmentation.
Techniques MSPs should focus on
The CISA report offers numerous mitigation techniques for MSPs and others. For instance, when it comes to segmentation mitigation, the report says:
Implement next-generation firewalls to perform deep packet filtering, stateful inspection, and application-level packet inspection. Deny or drop improperly formatted traffic that is incongruent with application-specific traffic permitted on the network. This practice limits an actor’s ability to abuse allowed application protocols. The method of allow-listing network applications does not rely on generic ports as filtering criteria, enhancing filtering fidelity.
The rest of the CISA/NSA list of misconfigurations includes:
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
“Out of all the others on the CISA list, my experience has shown me poor credential hygiene to be a huge problem, which is a tougher one to combat because so much of it is human behavior based,” Comer shares.
Some of the poor credential hygiene practices include:
- Reusing passwords across multiple accounts
- Using weak or easily guessable passwords
- Sharing passwords with others
- Writing down passwords or storing them in insecure locations
- Not using multi-factor authentication (MFA)
“MSPs need to have a plan in place to mitigate poor credential hygiene because if someone shares a password and disables MFA, all the preparations in the world won’t help,” Comer says.
The CISA emphasizes the importance of all 10 of these common misconfigurations. “These assessments have shown how common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user/administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk,” said Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA.
Photo: RoBird / Shutterstock