NSA and CISA Highlight Top 10 Cybersecurity Misconfigurations

In a landmark collaborative effort, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) that uncovers the ten most frequently encountered cybersecurity misconfigurations in large organizations' networks.

This advisory emerges from extensive evaluations by both the NSA and CISA Red and Blue teams. These elite units have examined the cybersecurity health of numerous entities, spanning the Department of Defense (DoD), the Federal Civilian Executive Branch (FCEB), state, local, tribal, and territorial (SLTT) governments, and even the private sector.

The misconfigurations cataloged in the CSA are frequent and represent a systemic vulnerability. Based on evaluations by the NSA and CISA's Red and Blue teams, as well as insights from the NSA and CISA Hunt and Incident Response units, the agencies pinpointed the top 10 prevalent cybersecurity misconfigurations. The list is as follows:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, emphasized that “common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user/administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk."

To address this pressing concern, the report goes beyond just listing problems. It underscores the urgent necessity for software manufacturers to follow secure-by-design principles, thus diminishing the likelihood of compromise. Goldstein presses software developers to adopt proactive measures, including the incorporation of security controls right from the initial stages of product development and the elimination of default passwords.

Moreover, the CSA is not just a call to manufacturers but also to network defenders. Both agencies advocate for strongly implementing the mitigation measures detailed within the advisory. These include removing default credentials, deactivating unused services, performing regular updates, and maintaining a keen focus on administrative accounts and privileges.

CISA, known as America's Cyber Defense Agency, recently introduced its "Secure Our World" campaign. A cornerstone of this initiative is urging technology providers, especially software manufacturers, to prioritize security in their products. The campaign emphasizes that securing products from the onset is pivotal for ensuring the safety of both individual and business consumers.