The NSA And CISA Share Their Top 10 Network Misconfigurations

The cybersecurity industry abounds with security advisories, top vulnerability lists, and frameworks for understanding attacker behavior and defensive measures.  Some frameworks broadly outline the cybersecurity landscape such as The Cyber Kill Chain, OWASP Top Ten Web Vulnerabilities (2021) and OWASP Mobile Top Ten frameworks, the Common Weakness Enumeration (CWE) framework, the Common Attack Pattern Enumerations and Classifications (CAPEC™) knowledge base, as well as the MITRE ATT&CK and MITRE D3FEND frameworks. Other cybersecurity advisories seek to provide a more real-time assessment of the threat landscape such as Common Vulnerabilities and Exposures (CVE), CISA's Cyber Threats and Advisories, and  CISA's Known Exploited Catalog.  

Earlier this year, the US's National Security Agency (NSA) and Cybersecurity Infrastructure And Security Agency (CISA) added another list of vulnerabilities that broadly characterize the cybersecurity landscape. The top ten cybersecurity misconfigurations list is described as a "plea for network defenders and software manufacturers to fix common problems" and designed to "highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations."

Interestingly, the list also highlights the importance of advanced Penetration Testing activities such as Red Team and Purple Team assessments and their ability to uncover vulnerabilities that can be used to exploit an organization. This is evidenced by the fact that the list was generated from CISA's own Red and Blue team assessments and the activities of its Hunt and Incident Response teams. Earlier in 2023, CISA's Red Team also shared its recommendations for improved monitoring and hardening of networks. 

In this article we review each item on CISA's new Top Ten Cyber Security Misconfigurations list to understand them, the risk they pose to an organization, and the overall cybersecurity landscape better. For a more detailed review of each item on the list, the full report is available online.

NSA And CISA's Top Ten Cyber Security Misconfigurations

Here are CISA's top 10 most common network misconfigurations:

1. Default configurations of software and applications: The default accounts and passwords, and other default access control configurations that come pre-installed on commercial off-the-shelf (COTS) network devices and those that are enabled by default with installing software services were the most common security weakness discovered by CISA's Red Team. The most commonly exploited services were Active Directory Certificate services, legacy protocols/services, and Server Message Block (SMB) services

2. Improper separation of user/administrator privilege: Network administrators may assign excessive privileges to accounts during either the design or implementation of devices and services. Assigning administrative accounts where they are not required leads to an expanded attack surface known as "privilege creep". Such configurations allow faster escalation to gain control of critical devices and services in a network, often undetected. Elevated network service accounts are particularly vulnerable, as they have wide-ranging domain access. Using elevated accounts for non-essential tasks increases the risk of credential theft and makes password-cracking techniques like kerberoasting more likely to pay off for exploiting highly privileged accounts

3. Insufficient internal network monitoring: Failing to implement network monitoring alongside host-based monitoring is unable to track the source of infections, allowing undetected lateral movements, persistent access, and data exfiltration by adversaries. Without vital monitoring and triggering alerts, even an attacker's noisy cyber activities can fly under the radar, allowing even low-skilled attackers a higher chance of success

4. Poor credential hygiene: Lax practices around credential creation and storage can lead to a network's downfall. Weak passwords can be cracked using tools like Hashcat, and when databases are not protected adequately, used to gain broader network access. Even worse, storing passwords in cleartext presents a severe security flaw. It's important to enforce strong password policies and database security best practices

5. Poor patch management: Failing to perform regular updates, using unsupported operating systems, and running outdated firmware exposes networks to vulnerabilities that can be easily discovered and exploited by adversaries. Unpatched vulnerabilities, CVE-2021-44228 (Log4Shell) serve as an open invitation for cyber attackers and can be exploited with low-skilled attacks with readily available attack code. The use of outdated Windows operating systems without critical updates like MS17-010 and MS08-67 significantly heightens the risk of unauthorized access and data compromise, leaving the organization's systems at high risk

6. Bypass of system access controls: Some system access controls can be circumvented using authentication attack methods. For instance, if an attacker can acquire password hashes within a network, they might authenticate using unconventional mechanisms like the pass-the-hash (PtH) [T1550.002] or Kerberoasting [T1558.003]. This can potentially allow attackers to compromise critical systems or accounts

7. Weak or misconfigured multifactor authentication (MFA) methods: If the multifactor authentication (MFA) systems for highly sensitive contexts are misconfigured, they may allow attackers to persistently use stolen authentication codes for access. Also, some MFA methods are susceptible to phishing, "push bombing" [T1621], exploitation of Signaling System 7 (SS7) vulnerabilities, or even SIM swap scams

8. Insufficient access control lists (ACLs) on network shares and services: Using commands, open-source tools, or malware, attackers typically seek out high-value shared folders and drives [T1135]. In documented breaches, attackers have employed tools like CovalentStealer to identify and categorize files for exfiltration [TA0010]. Even without direct access from credentials in file shares, attackers can still glean valuable information about the network's topology or exploit found data for extortion or further social engineering attacks

9. Unrestricted code execution: Attackers have many methods to convince their victims to execute code on their behalf such as social engineering, drive-by downloads, or Trojanized applications. This initial access malware gives attackers remote access to the internal network. The unrestricted execution of executables, DLLs, HTML applications, and macros can be leveraged for initial access, persistence, and lateral movement. Attackers often employ scripting languages to obfuscate their actions and bypass security measures, such as application allowlisting, further exploiting vulnerabilities to execute code with the highest system privileges and fully compromise the device

10. Lack of network segmentation: Network segmentation creates security boundaries, which prevent adversaries from moving laterally across user, production, and critical systems that comprise a network. A lack of network segregation makes organizations especially vulnerable to ransomware attacks and various post-exploitation techniques aimed at enumerating all endpoints on a network and gaining access to those with the most value. Even when IT and operational technology networks are believed to be air-gapped, assessment teams have exploited overlooked or unintended connections, leading to unauthorized access, significant operational risks and potential compromise

CISA's Broad Mitigation Directive

The most broad directives for improving network security resulting from this advisory are to ensure that teams are well-trained, adequately sized, and sufficiently funded. An organization's IT security team is fundamentally important in applying network security best practices and mitigations for all items mentioned in the list.

Secondly, CISA also advises that software manufacturers play a proactive role in removing vulnerable default security configurations. This dual approach of empowering security teams and obligating software manufacturers to adopt secure-by-design methodologies forms a comprehensive strategy for bolstering cybersecurity defenses.

Conclusion

The recent joint publication by the NSA and CISA provides a critical look at the prevailing network misconfigurations plaguing large organizations and was intended as a call to network defenders, software producers, and hardware manufacturers to address these most common and high-risk weaknesses. The top ten misconfigurations listed are derived from the agencies' penetration testing exercises and incident responses, underscoring the benefits of advanced Penetration Testing to provide valuable insight into a network's weaknesses.

Some of the top items on the list include failing to change default configurations, allocating liberal access privileges, lack of network segmentation and patch management, insufficient monitoring, lax MFA setups, inadequate access controls, poor credential management, and unrestricted code execution.

Looking for more cybersecurity news and updates? Sign up for our newsletter today or reach out to our team to kickstart strengthening your security posture.