Cyber attackers regularly exploit unpatched software vulnerabilities, but they continuously target security misconfigurations to gain initial access into victims systems.
The US Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA, as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK, have created a to-do list for defenders in today’s heightened threat environment.
The list contains the main weak security controls, poor configurations, and poor security practices that defenders should be aware of in order to implement the necessary actions to combat these critical cyber threats. It also contains their collective recommended mitigations.
Cyber criminals routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or to utilize as a part of other tactics to compromise a victim’s system.
The list of actions includes all obvious candidates, such as enabling multi-factor authentication (MFA) on key systems, such as virtual private networks (VPNs), but which are prone to misconfigurations when implemented in complex IT environments.
For example, last year Russian hackers combined a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers. This complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck.
Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system.
The security controls outlined in CISA’s list serve as a useful checklist for organizations, many of which deployed remote-working IT infrastructure hastily due to the pandemic, and amid today’s heightened geopolitical tensions due to Russia’s invasion of Ukraine. It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year’s cyberattack against Viasat’s European satellite broadband users.
The joint alert notes, attackers commonly exploit public-facing applications, external remote services, and use phishing to obtain valid credentials, exploit trusted relationships and valid accounts. It recommends MFA must be enforced for everyone, especially since RDP is commonly used to deploy ransomware. Do not exclude any user, particularly administrators, from the MFA requirement.
Incorrectly applied privileges or permissions, and errors in access control lists can prevent the enforcement of access control rules, and could give unauthorized users or system processes access to objects. Make sure software is up to date and security patches are applied asap.
Don’t use vendor-supplied default configurations or usernames and passwords. These might be ‘user friendly’ and help the vendor deliver faster troubleshooting, but they’re often publicly available secrets. The NSA strongly urges admins to remove vendor-supplied defaults and create unique, strong, hard to guess passwords and use a password manager.
Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure, they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software.
CISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to reduce risks, and put the VPN behind a firewall. Use IDS and IPS sensors to detect suspicious network activity.
Other key problems include: strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response.
CISA’s recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management.
CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on this aim.
The full list of security DONT’S includes:
- Multifactor authentication (MFA) is not enforced.
- Incorrectly applied privileges or permissions and errors within access control lists.
- Software is not up to date.
- Use of vendor-supplied default configurations or default login usernames and passwords.
- Remote services, such as VPNs, lack sufficient controls to prevent unauthorized access.
- Strong password policies are not implemented.
- Cloud services are unprotected.
- Open ports and misconfigured services are exposed to the internet.
- Failure to detect or block phishing attempts.
- Poor endpoint detection and response.
No matter your core business, there’s no denying technology plays a key role in your daily operations and tech issues can directly impact your ability to do business. Without the proper IT operations and contingency plans in place, you could be left to deal with catastrophic consequences. We all know time is money, and we don’t want to see you lose either to IT issues.
We use our expertise to create a customized IT plan tailored to your specific business needs and goals. Outsourcing your IT needs to us provides your company many benefits. Every business needs access to the right IT support and the best way to do that is by partnering with us!