There's a systemic weakness in large organizations’ network infrastructure: common problems go unrepaired, the National Security Agency and Cybersecurity and Infrastructure Security Agency said earlier this month in an advisory.
The pleas from federal cyber authorities “for network defenders and software manufacturers to fix common problems” underscores the importance of secure-by-design principles, CISA said.
The ten most-common misconfigurations reads like a list of basic standards and best practices, according to cybersecurity experts and analysts. These weaknesses are abundant in enterprises with mature cybersecurity postures, according to CISA.
The top 10 cybersecurity misconfigurations in large organizations includes:
- Default software and application configurations
- Improper user and administrative user separation
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- System access controls bypass
- Weak or misconfigured MFA
- Insufficient access control lists on shared services
- Poor credential management
- Unrestricted code execution
No cybersecurity professional should be surprised by these misconfigurations. The list hasn’t changed much from a list that would have been published 10 years ago, according to Katell Thielemann, distinguished VP analyst at Gartner.
“If large organizations cannot handle these issues, think about the plight of small- and medium-size enterprises,” Thielemann said via email.
“Calling out these things as ‘systemic weakness’ pointing to poor basic cyber hygiene shows a stark disconnect between what everyone by now knows are best practices and the actual complexities of implementing them in the real world,” Thielemann said.
The basics of cybersecurity, it turns out, aren’t so basic.
The biggest difference between this list and other “do as I say” bulletins from federal agencies is the implicit call out for software manufacturers to step up, Thielemann said.
CISA and other agencies continue to push a set of principles and tactics, first unveiled in April, to push responsibility for security onto the companies that make products and less so on the customers that use those products.
“NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and default tactics,” the agencies said in the advisory.
These measures include the embedding of security controls into product architecture from the start, elimination of passwords, multi factor authentication mandates and high quality audit logs at no additional cost.
NSA and CISA shared detailed mitigations for these most common weaknesses and more broadly advised network defenders to remove default credentials, disable unused services, automate patching, and restrict and monitor administrative accounts and privileges.
“All of the illustrated shortcomings should be addressed from day one, not day 366. Hard-coded passwords, identity configuration drift, asset protection and network access are all part and parcel of daily operations,” Heath Mullins, senior analyst at Forrester, said via email.
“Leadership should view this report as a wake up call, as these issues are very common, widespread, not clearly understood to someone without a wide and deep understanding of security practices” Mullins said.