It’s Cybersecurity Awareness Month and the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have revealed the top 10 most common cybersecurity misconfigurations. The data in the report was collected by the two agencies’ Red and Blue teams during assessments and during incident response activities. 

“These assessments have shown how common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user / administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk,” said Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA.

Here’s a look at the list and what these misconfigurations mean:  

Default Configurations Of Software And Applications

Default configurations of systems, services, and applications can permit unauthorized access or other malicious activity. Common default configurations include:

• Default credentials
• Default service permissions and configurations settings

Certain services may have overly permissive access controls or vulnerable configurations by default. So, it is important to update these yourself to make them as safe as possible. 

Improper Separation Of User/Administrator Privilege

It is common for administrators to assign multiple roles to one account. These accounts have access to a wide range of devices and services, allowing malicious actors to move through a network quickly with one compromised account. The assessment teams observed the following common account separation misconfigurations:

• Excessive account privileges
• Elevated service account permissions
• Non-essential use of elevated accounts

Insufficient Internal Network Monitoring

Some organizations face challenges in optimally configuring host and network sensors for effective traffic collection and end-host logging. Inadequate configurations may result in undetected compromise, limiting the ability to develop enhanced baselines and hampering timely detection of atypical activity.

Lack of Network Segmentation

Inadequate network segmentation, without clear security boundaries, exposes organizations to heightened risks. It allows adversaries to move freely across user, production and critical system networks, increasing vulnerability to ransomware and post-exploitation threats. Lack of segmentation, particularly between IT and operational technology (OT) environments, puts OT at risk, as even seemingly air-gapped networks may have overlooked connections.

Poor Patch Management

Vendors release patches and updates to address security vulnerabilities. Not managing these patches well can enable cybercriminals to discover open attack vectors and exploit critical vulnerabilities. Poor patch management includes:

• Lack of regular patching
• Use of unsupported operating systems (OSs) and outdated firmware

Bypass of System Access Controls

Malicious actors can exploit alternate authentication methods to bypass system access controls. Collecting and using hashes enables unauthorized access and privilege escalation, allowing actors to expand and fortify their presence stealthily within a network.

Weak or Misconfigured MFA Methods

Misconfigurations in networks relying on smart cards or tokens may lead to persistent password hashes for accounts even when passwords are not used. Exploiting unchanged password hashes allows malicious actors prolonged unauthorized access, posing a security risk. 

Additionally, some multifactor authentication methods are susceptible to phishing, push bombing, SS7 protocol vulnerabilities, or SIM swap techniques, potentially enabling threat actors to compromise MFA credentials and bypass MFA-protected systems.

Insufficient ACLs on Network Shares and Services

Data shares and repositories are prime targets for malicious actors. Improperly configured access control lists (ACLs) on shared drives may enable unauthorized users to access sensitive or administrative data. Malicious actors can exploit this vulnerability using various methods, including commands, open source tools, or custom malware to identify and access shared folders and drives.

Poor Credential Hygiene

Poor credential hygiene helps threat actors in obtaining credentials for initial access, persistence, lateral movement and other follow-on activity. Examples include:

• Easily crackable passwords
• Cleartext password disclosure

Unrestricted Code Execution

Allowing unverified programs to execute on hosts poses a significant risk, as threat actors can introduce arbitrary and malicious payloads within a network. After gaining initial access, malicious actors commonly execute code—typically in the form of unverified programs—exploiting scenarios such as phishing scams to gain remote access and compromise internal networks.

These 10 cybersecurity misconfigurations underscore the critical need for improved cybersecurity practices. Neglecting these areas poses significant risks, emphasizing the importance of proactive measures to safeguard against evolving cyber threats. Cybersecurity Awareness Month serves as a timely reminder to bolster cyber defenses for you and your businesses.

To learn how TNTMAX can help your business with cybersecurity measures, please click here.