Penetration TestJan Kahmen6 min read

Top Ten Cybersecurity Misconfigurations

These misconfigurations demonstrate both a trend of systematic weaknesses in many large organizations, including those with mature cyber postures, and the importance of software vendors applying security-focused design principles.

The NSA and CISA (National Security Agency & Cybersecurity and Infrastructure Security Agency) have identified the ten most common network misconfigurations through Red and Blue Team assessments and hunt and incident response team activities. These misconfigurations reveal a trend of systematic weaknesses across many large organizations -- including those with mature cyber postures -- and highlight the importance of software vendors embedding security into their design principles from the start.

1. Default Configurations of Software and Applications

When default configurations of systems, services, and applications are left unchanged, they can enable unauthorized access or other malicious activities. Common weaknesses include default credentials, preset service permissions, and unmodified configuration settings.

2. Insufficient Separation of User/Administrator Permissions

Administrators sometimes assign multiple roles to a single account. These accounts then have access to a wide range of devices and services, allowing threat actors to move through a network undetected without triggering lateral movement or privilege escalation alerts. The assessment teams observed the following common account separation issues: excessive account privileges, overly broad service account permissions, and unnecessary use of elevated accounts.

3. Inadequate Internal Network Monitoring

Insufficient internal network monitoring can leave the network poorly protected and make it easier for attackers to infiltrate and cause damage. It is therefore essential to review network configurations regularly and verify that all security measures are properly implemented.

4. Missing Network Segmentation

Missing or inadequate network segmentation means that different network zones are not sufficiently isolated from one another. This can create significant security gaps: an attacker who gains access to one segment may be able to reach other segments that should be off-limits.

5. Poor Patch Management

Poor patch management occurs when software updates are not applied in a timely and systematic manner. Patches address security vulnerabilities, fix bugs, or add new functionality. Without proper management, known vulnerabilities remain exposed and exploitable.

6. Bypassing System Access Controls

This category covers flaws in system configurations that allow attackers to circumvent intended access controls and gain unauthorized access. This can happen in various ways, such as exploiting default passwords, leveraging insufficient permissions, or taking advantage of misconfigured firewalls and other security components.

7. Weak or Misconfigured Multi-Factor Authentication (MFA) Methods

Misconfigured MFA systems can contain vulnerabilities that allow attackers to bypass the additional security layer and gain unauthorized access. Common causes include incomplete enforcement of MFA requirements, insecure fallback mechanisms, or faulty integration with existing authentication processes.

8. Insufficient Access Control Lists (ACLs) on Network Shares and Services

When access control lists (ACLs) for network shares and services are not properly configured, unauthorized users or systems may be able to access sensitive data and resources. An ACL defines permissions assigned to specific users or groups for files, folders, or resources. It controls who can access these resources and ensures that only authorized users have access. If ACLs are misconfigured, unauthorized parties may be able to view, modify, or even delete sensitive data -- leading to data breaches, data loss, or other security incidents.

9. Poor Credential Hygiene

Weak credential management creates vulnerabilities that can allow attackers to gain unauthorized access to systems or applications. This can take several forms:

  1. Weak passwords: When users choose weak or easily guessable passwords, attackers can crack them with minimal effort.

  2. Default credentials: Many systems and applications ship with preset credentials that attackers can easily guess if left unchanged.

  3. Missing two-factor authentication: Without an additional security layer such as two-factor authentication, attackers with stolen credentials can access systems far more easily.

  4. No limits on login attempts: Without restrictions on the number of login attempts, attackers can try an unlimited number of credential combinations.

  5. No login activity monitoring: Without monitoring of login activity, suspicious or unusual login attempts go unnoticed, allowing attackers to gain access undetected.

10. Unrestricted Code Execution

This category covers vulnerabilities in software or system configurations that allow an attacker to execute arbitrary code on the affected system. Such vulnerabilities can arise from insecure default settings, incorrect permissions, or insufficient input validation.

A typical example is a misconfigured web application that allows an attacker to upload and execute malicious code. This can enable the attacker to take control of the system, steal sensitive data, or launch further attacks.

To prevent these misconfigurations, organizations should perform regular security audits and keep all systems and software up to date. Additionally, secure configuration policies should be enforced, and all permissions and access rights should be appropriately restricted.