Top Ten Cybersecurity Misconfigurations

NSA and CISA (National Security Agency & Cybersecurity and Infrastructure Security Agency) have identified the 10 most common network misconfigurations through Red and Blue Team assessments and NSA and CISA hunt and incident response team activities. These misconfigurations demonstrate both a trend of systematic weaknesses in many large organizations, including those with mature cyber postures, and the importance of software vendors applying security-focused design principles.

1. Default Configurations of Software and Applications

Default configurations of systems, services, and applications can allow unauthorized access or other malicious activities. Typical default configurations include: Default credentials and default service permissions and configuration settings.

2. Insufficient Separation of User/Administrator Permissions

Administrators can assign multiple roles to a single account. These accounts have access to a variety of devices and services, allowing malicious actors to move quickly across a network without triggering lateral movement and/or privilege detection actions. The assessment teams observed the following common account separation misconfigurations: excessive account privileges, elevated service account privileges, and unnecessary use of elevated accounts.

3. inadequate Internal Network Monitoring

Overall, these misconfigurations can lead to inadequate protection of the internal network and make it easy for attackers to penetrate the network and cause damage. Therefore, it is important to regularly review the network configuration and ensure that all security measures are implemented appropriately.

4. Missing Network Segmentation

Misconfiguration of Missing network segmentation refers to errors or inadequate configurations in the network that can result in different network segments not being adequately separated from each other. This can lead to security vulnerabilities as an attacker who has access to one segment may be able to access other segments that are not intended for him.

5. Poor Patch Management

Misconfigurations of poor patch management refers to errors or problems that can occur when patches are not properly managed. Patches are software updates that are developed to address security vulnerabilities, fix bugs, or add new functionality.

6. Bypassing System Access Controls

Misconfiguration of bypassing system access controls refers to flaws or vulnerabilities in the configuration of systems that allow an attacker to bypass the system's access controls and gain unauthorized access. This can be done in a variety of ways, such as by exploiting default passwords, insufficient privileges, or incorrect configurations of firewalls or other security measures.

7. Weak or Misconfigured Multi-factor Authentication (MFA) Methods

Misconfigurations of misconfigured multifactor authentication (MFA) methods refer to errors or vulnerabilities in the configuration of MFA systems that can allow attackers to bypass the additional layer of security and gain unauthorized access to a system or application.

8. Insufficient Access Control Lists (ACLs) on Network Shares and Services

Misconfiguration of insufficient access control lists (ACLs) on network shares and services refers to a vulnerability where access rights to network shares and services are not configured appropriately. This can result in unauthorized users or systems being able to access sensitive data or resources. An ACL is a list of permissions assigned to a specific user or group of users for a particular file, folder, or resource. They are used to control access to these resources and ensure that only authorized users can access them. If ACLs for network shares and services are not properly configured, unauthorized users or systems may be able to access, or even modify or delete, sensitive data. This can lead to data breaches, data loss, or other security issues.

9. Bad Credentials

Misconfiguration of Bad Credentials refers to errors or vulnerabilities in the configuration of credentials that could allow an attacker to gain unauthorized access to a system or application. This can take several forms, such as:

1. weak passwords: if users use weak or easy-to-guess passwords, attackers can easily crack them and gain access to a system.

2. Default credentials: Many systems and applications come with default credentials that can be easily guessed by attackers if not changed.

3. lack of two-factor authentication: without an additional layer of security such as two-factor authentication, attackers can more easily gain access to a system or application by simply logging in with stolen credentials.

4. Lack of limits on login attempts: If there are no limits on the number of login attempts, attackers can make an infinite number of attempts to log in with stolen credentials.

5. lack of logon activity monitoring: without logon activity monitoring, suspicious logon attempts or unusual logon activity can go unnoticed, allowing attackers to gain access undetected.

10. Unrestricted Code Execution

Misconfigurations of Unrestricted Code Execution refers to flaws or vulnerabilities in the configuration of software or systems that allow an attacker to execute arbitrary code on the affected system. These types of vulnerabilities can result from insecure default settings, incorrect permissions, or insufficient checks and validations.

An example of an Unrestricted Code Execution misconfiguration is a misconfigured web application that allows an attacker to upload and execute malicious code. This can lead to the attacker taking control of the affected system and stealing sensitive data or conducting further attacks.

To avoid misconfigurations from Unrestricted Code Execution, it is important to perform regular security audits and ensure that all systems and software are up to date. It is also important to implement secure configuration policies and ensure that all permissions and access rights are appropriately restricted.