NSA and CISA Reveal Top 10 Cybersecurity Misconfigurations


US Government Agencies National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed this week the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations.

The advisory also details what tactics, techniques, and procedures (TTPs) threat actors use to successfully exploit these misconfigurations with various goals, including gaining access to, moving laterally, and targeting sensitive information or systems.

Even though this advisory focuses on large organizations, small businesses can learn much about cybersecurity best practices from it.

The top 10 most prevalent network configurations discovered during Red and Blue team assessments and by NSA and CISA Hunt and Incident Response teams include:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

NSA and CISA also encourage IT providers, MSPs, and internal IT teams to implement the recommended mitigation measures to reduce the risk of attackers exploiting these common misconfigurations.

Mitigations that would have this effect include:

  • eliminating default credentials and hardening configurations,
  • deactivating unused services and implementing stringent access controls,
  • ensuring regular updates and automating the patching process, giving priority to patching known vulnerabilities that have been exploited,
  • and reducing, restricting, auditing, and closely monitoring administrative accounts and privileges.

Besides applying the mitigations above, NSA and CISA recommend “exercising, testing, and validating your organization’s cybersecurity program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework” in today’s advisory.

The bottom line for small businesses – you can learn from these types of advisories by having conversations with your MSP or your internal IT team about implementing these recommended mitigations and also contracting with 3rd Party Managed Security Services Providers (MSSPs) for penetration testing, vulnerability management, and other cybersecurity services and solutions to protect your organization against the latest cyber threats and reduce your cyber risk.

Want to learn about how to protect your organization against the latest cyber threats? Register for our upcoming Cybersecurity for CEOs lunch & learn or book a complimentary Cybersecurity Discovery call.