The National Security Agency (NSA) and the U.S. Cyber Defense Agency (CISA) have issued a new joint advisory on urgent cybersecurity issues. The two agencies highlighted problems with software and IT configurations across multiple U.S. government agencies while providing recommendations to customers and manufacturers.
Following recent warnings about the "BlackTech" threat against Cisco routers, the National Security Agency (NSA) and the Computer Information Security Association (CISA) have released a new joint advisory identifying the top ten "top network misconfigurations" that lead to intrusions and security incidents. The announcement states that red teams (attack simulation) and blue teams (IT systems analysis) from the two US agencies have been working "over the past few years" to assess organizations and identify the most common problems in IT configurations.
Analysts from the National Security Agency and CISA have spent years trying to understand how malicious actors gain access, move laterally and "target" "sensitive systems or information" at U.S. government agencies at the federal and local levels. They probed "many networks" belonging to the Department of Defense (DoD), federal civilian executive branch agencies, state, local, tribal and territorial (SLTT) governments, and the private sector, looking for misconfiguration issues.
The official advisory lists the following 10 most common network configuration errors detected by the NSA and CISA Red and Blue Teams:
Default configuration of software and applications
Improper separation of user/admin permissions
Insufficient internal network monitoring
Lack of network segmentation
Poor patch and update management
Bypass system access control
Multi-factor authentication (MFA) methods are weak or poorly configured
Insufficient access control lists (ACLs) for network shares and services
Poor document cleanliness
Unrestricted code execution
These misconfigurations illustrate a dangerous trend of "systemic weaknesses in many large organizations," including those with mature "cyber postures." Therefore, the NSA and CISA encourage cyber "defenders" and IT administrators to implement the recommendations and mitigations in the advisory to reduce the risk of successful attacks by cybercriminals and APT actors.
The recommendations state that IT administrators should remove default credentials and harden configurations, disable unused services, and implement strong access controls. Additionally, regular and automated patching measures should be implemented, especially for known vulnerabilities. Administrative accounts and permissions should also be reduced, restricted, monitored, and regularly audited.
CISA also highlighted "urgent" IT measures that software manufacturers must take to minimize the incidence of security configuration errors, including eliminating default passwords, adopting a secure design approach in software development, making "high-quality audit logs" free to customers, and making multi-factor authentication (MFA) a default feature rather than an optional feature. The agency is also promoting its recently launched Protect Our World national campaign, which introduces simple yet effective ways to help people protect themselves, their families and their businesses from cyber threats.