NSA Shares Top Ten Cybersecurity Misconfigurations (cisa.gov) 31
The National Security Agency (NSA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), have highlighted the ten most common cybersecurity misconfigurations in large organizations. In their join cybersecurity advisory (CSA), they also detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. From the report: Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution
NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory -- including the following -- to reduce the risk of malicious actors exploiting the identified misconfigurations: Remove default credentials and harden configurations; Disable unused services and implement access controls; Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities; and Reduce, restrict, audit, and monitor administrative accounts and privileges.
NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including: Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC); Eliminating default passwords; Providing high-quality audit logs to customers at no extra charge; and Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature. A PDF version of the report can be downloaded here (PDF).
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution
NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory -- including the following -- to reduce the risk of malicious actors exploiting the identified misconfigurations: Remove default credentials and harden configurations; Disable unused services and implement access controls; Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities; and Reduce, restrict, audit, and monitor administrative accounts and privileges.
NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including: Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC); Eliminating default passwords; Providing high-quality audit logs to customers at no extra charge; and Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature. A PDF version of the report can be downloaded here (PDF).
forgot zero (Score:4, Insightful)
Zero: listening to the NSA, like when they told us to run Vista for maximum security.
Zero point one: running any version of Windows. NSAKEY, anyone? Take two, they're small!
Re: (Score:2)
Their installation guide for SELinux told people to configure sudo to be passwordless!!!
Re: forgot zero (Score:2)
No popular operating system is good at role based access control where a user can have multiple roles.
With proper access control using roles a user shouldn't be permitted to perform role traversing information transfers in an uncontrolled manner.
E.g. copying Excel data between two spreadsheets in different role areas.
Re: (Score:3)
NSAKEY has been thoroughly debunked as a "back door" in Windows. It exists (or existed) to allow the NSA to digitally sign encryption modules for use in Windows as part of its role in evaluating requests for export of cryptography under export controls.
Re: (Score:2)
Sure, and there's absolutely no way that could have ever been used to back door anyone's communications, and the NSA has our best interests at heart, and would never operate unconstitutional citizen spying programs.
Re: (Score:2)
There is no end to other registry exploits available, prominently labeling one 'NSAKey' would be stupid (and IIRC there's not much you could do from that location anyway). When I first heard of this my initial thought was, "Someone at MS wanted to play with the conspiracy theorists." My second was, "This is far more likely to be a distraction away from whatever they actually planned to do."
Re: (Score:2)
Arguing that it's not malicious because we know about it is foolish. Microsoft refused to comment on it at all for years.
Re: (Score:1)
> prominently labeling one 'NSAKey' would be stupid
You highly underestimate the stupidity of Microsoft and the NSA
Re: (Score:2)
I've worked at Microsoft off and on for several years, outside of the exception of the (post-Gates) executive suites I always found most of the people there to be extremely smart. There are exceptions, of course, but the average Microsoftie would rank pretty high on the intelligence scale.
On the other hand I've worked with a couple of ex-NSA staffers, and can't say the same about them. "Unimaginative paper pushers" would be a little generous.
Re: (Score:2)
Sorry, but if you don't already thoroughly trust MS and the NSA, then their offering an explanation without proof is not a debunking. Even if you do it should be considered dubious. Actual debunking requires proof, not just plausible stories.
So. yeah, that's a plausible story. It MAY be correct.
Re: (Score:2)
fingerd.... (Score:2)
and other vulnerable applications with no practical use included in standard distributions of various *nixes
Re: fingerd.... (Score:3)
It's usually not active and is a remnant from a more civilized time.
You dirty, dirty...keyboard. (Score:2)
"Poor credential hygiene"
Uh just curious, are they're referring to the dirty-ass minds creating credentials, or the dirty-ass-a-toilet-seat keyboard used to enter them?
Those in IT support have seen some shit..
They forgot some (Score:5, Informative)
Being located inside the United States
Using the internet without TLS encryption end-to-end
Having your plaintext data moved through "secret rooms" at AT&T datacenters
Using a cloud service provider that feeds data into PRISM
Having a phone vulnerable to one of their many zero-day zero-click exploits (which happens to be almost every phone), or even
Order a computer from Dell or Lenovo when youre on an NSA list, will come with wireless keylogger and modem to exfil data even on airgapped machines
Re: They forgot some (Score:2)
Any tips for "Internal Network Monitoring?" (Score:2)
Are they saying firewall level logging of internal network rules or suggesting something more robust? (Not my day job.) I get strategies to monitor the "management" network including resource access, but tracking within userland access segments seems a bit challenging.
How many millions did this cost? (Score:2)
By all the gods, how much did they spend on this foolishness? Pretty much anyone who's ever worked in the field for a decade could have assembled this list in an hour, just thinking on previous issues they've personally encountered.
Re: (Score:2)
I work in a large worldwide corporation and the IT has an extremely centralized thinking which allowed a ransomware attack to become very widespread.
Surviving networks were those that weren't managed centrally.
Point 3 and 4 in the list are somewhat contradictory. For management it's more important to monitor than to segment. Some network segments are better off being isolated and not monitored because monitoring them will require the need for punching holes in the segmentation. Opening a firewall from a seg
Re: (Score:2)
Finally someone with insight.
The field is desperately in need of intelligence.
And I don't mean AIs ingesting millions of dark web posts to report that Windows is a hot target right now.
But some actual thinking things through.
humans (Score:2)
You can do all of those things and still get hacked. Humans are the real problem. Give humans access to the internet and digital assets at the same time and all kinds of badness happens.
Re: (Score:2)
As we always say in the physical security business, "The problem is almost never the hardware or the software, it's the wetware." (Except for Sony, then it probably is their hardware and their software. Glad they're out of that business now.)
Correct (Score:2)
This list mostly does match the structure of corporate internal IT audits, thanks to reminding. Some will take it seriously.
Linux default basic check list (Score:2)
2. The second-biggest issue, by far, is having permissive sudo settings! —DO NOT GIVE EVERYONE SUDO ACCESS.
3. The third-biggest issue, by far, is having permissive sudo settings! —DO NOT GIVE EVERYONE SUDO ACCESS.
4. Lock down SSH, and DO NOT change the port. Changing the port is not going to help you. If you're at the point that moving from 22 to 9022 is going to polish the top of
Re: (Score:2)
Great list. Just a thought on #11. I would say all logs should be gathered by a remote server that doesn't accept any inbound network connections.
Re: (Score:2)
what about their recommended password manager (Score:2)
No surprises (Score:2)
This is essentially the same list anybody competent has come up for the present state.