The joint cybersecurity advisory from the Cybersecurity and Infrastructure Security Agency and National Security Agency offers recommendations for better cybersecurity posture based on the top 10 misconfigurations across organizations.
A joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency and National Security Agency warns organizations that the ten most common software misconfigurations that leave digital networks vulnerable to outside attacks showcase the need for secure-by-design approaches.
Released on Thursday, the advisory was formed through a series of Red and Blue team — offensive and defensive, respectively — testing conducted by agency officials. Findings from the testing show that the top 10 misconfigurations in digital systems:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication methods
- Insufficient access control lists on network shares and services
- Poor credential hygiene
- Unrestricted code execution
“These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders,” the notice summary reads.
Bedrocking the recommendations both agencies offer is the adoption of a secure-by-design approach to software design and deployment; a philosophy touted within the Biden administration’s digital policies.
Embedding security protocols in the architecture of software development and lifecycles, eliminating default passwords and login credentials, and employing multifactor authentication methods are several secure-by-design approaches CISA and NSA recommend.
The advisory also stresses the importance of reducing the opportunity for phishing attacks by ensuring the login schemes are secure to withstand such attempts, since the Red and Blue teams deployed by the agencies were able to access the networking via phishing methods.