Skip links

Top Ten Cybersecurity Misconfigurations and Mitigation Techniques 2024

Jump To Section

Introduction

In this age of rapid digital transformation, the cybersecurity landscape is an ever-evolving battleground. To protect digital infrastructures effectively, organizations must stay one step ahead of adversaries. In this blog, we delve into the top ten cybersecurity misconfigurations identified by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).

Understanding these vulnerabilities and applying expert mitigation strategies is paramount to ensure a robust cybersecurity posture.

In this blog post, we’ll delve into the Top Ten cybersecurity misconfigurations highlighted by these agencies, along with effective mitigation techniques to safeguard against cyber threats.

Executive summary

It’s essential to highlight the key cybersecurity misconfigurations and the strategies to mitigate them. The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations and detail the tactics and techniques to mitigate these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams agencies identified the following 10 most common Cybersecurity Misconfigurations:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

These misconfigurations illustrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders. Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.

Software manufacturers must reduce the prevalence of these misconfigurations and thus strengthen the security posture for customers by incorporating secure-by-design and default principles and tactics in their software development practices.

NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisory including the following to reduce the risk of malicious actors exploiting the identified misconfigurations by removing default credentials, hardening configurations, disabling unused services implementing access controls and Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities, Reduce, restrict, audit, and monitor administrative accounts and privileges, NSA and CISA urge software manufacturers to take ownership of improving the security outcomes of their customers by embracing secure-by-design and-default tactics including Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC), Eliminating default passwords, Providing high-quality audit logs to customers at no extra charge, Mandating MFA, ideally phishing-resistant for privileged users and making MFA a default rather than opt-in feature.

Exploring the Top Ten Cybersecurity Misconfigurations and Mitigation Techniques

1. Default configurations of software and applications:

Default configurations of software and applications are the pre-set settings that are applied when the software or application is first installed. These settings are designed to make the software or application easy to use, but they may not be the most secure settings. This can leave systems vulnerable to attacks.

Here are some examples of default configurations that can be insecure:

Using weak or default passwords: Many software and applications come with default passwords that are easy to guess. Attackers can use these default passwords to gain unauthorized access to systems.

Enabling unnecessary features: Some software and applications have features that are not necessary for most users. These features can be exploited by attackers to gain access to systems or data.

Leaving unnecessary ports open Some software and applications open ports on the network that are not necessary for their operation. Attackers can use these open ports to attack systems.

Mitigation techniques for default configurations:

Change default passwords: Always change default passwords to strong, unique passwords.

Disable unnecessary features: Disable any features that are not necessary for your organization.

Close unnecessary ports: Close any ports that are not necessary for your organization.

Use a firewall: Use a firewall to block unauthorized access to your systems.

Keep software up to date: Install updates for software and applications as soon as they are available. Updates often include security fixes for vulnerabilities.

Use a vulnerability scanner: Use a vulnerability scanner to identify vulnerabilities in your systems.

Implement a security policy: Implement a security policy that outlines how to secure your systems.

Educate employees: Educate employees about cybersecurity risks and how to protect themselves from attacks.

By following these mitigation techniques, you can help protect your systems from attacks that exploit default configurations.

2. Improper separation of user and administrator privileges:

Improper separation of user and administrator privileges is a security risk that can allow unauthorized users to gain access to sensitive data or systems. This can happen when users are given more privileges than they need, or when administrators do not properly secure their accounts.

Here are some examples of improper separation of user and administrator privileges:

Giving users administrator privileges: Users should only be given the privileges they need to do their jobs. Giving users administrator privileges can allow them to make changes to the system that they should not be able to make.

Not using strong passwords for administrator accounts: Administrator accounts should have strong, unique passwords that are changed regularly. Weak passwords can be easily guessed or cracked, allowing attackers to gain access to administrator accounts.

Not using two-factor authentication for administrator accounts: Two-factor authentication requires users to provide two pieces of information to authenticate, such as a password and a code from a mobile device. This makes it more difficult for attackers to gain access to administrator accounts.

Mitigation techniques for improper separation of user and administrator privileges:

Implement the principle of least privilege: Only give users the privileges they need to do their jobs.

Use strong passwords for administrator accounts: Administrator accounts should have strong, unique passwords that are changed regularly.

Use two-factor authentication for administrator accounts: Two-factor authentication requires users to provide two pieces of information to authenticate, such as a password and a code from a mobile device.

Educate users about cybersecurity risks: Educate users about the risks of giving out their passwords or clicking on links in phishing emails.

Monitor user activity: Monitor user activity to identify suspicious activity, such as attempts to access unauthorized data or systems.

By following these mitigation techniques, you can help protect your systems from attacks that exploit improper separation of user and administrator privileges.

3. Insufficient internal network monitoring:

Insufficient internal network monitoring refers to the lack of adequate visibility and oversight of the activities and events occurring within an organization’s internal network. This can leave the network vulnerable to various security threats and performance issues that may go undetected for extended periods.

Consequences of Insufficient Internal Network Monitoring:

Undetected Security Breaches: Without proper monitoring, malicious activities such as unauthorized access, data exfiltration, or malware infections may remain unnoticed, allowing attackers to operate undetected and cause significant damage.

Performance Bottlenecks and Outages: Network performance issues, such as congestion, latency, or outages, can hinder business operations and productivity. Without proper monitoring, identifying and resolving these issues becomes challenging.

Compliance Failures: Organizations that handle sensitive data are often subject to compliance regulations that mandate network security and monitoring practices. Insufficient monitoring can lead to non-compliance and potential legal ramifications.

Mitigation Techniques for Insufficient Internal Network Monitoring:

Implement Network Monitoring Tools: Deploy comprehensive network monitoring tools that can collect and analyse network traffic, device logs, and performance metrics.

Define Monitoring Objectives: Clearly define the objectives of network monitoring, such as identifying security threats, ensuring compliance, or optimizing performance.

Establish Baselines and Thresholds: Establish baselines for normal network behaviour and set thresholds for alerts to identify anomalies and potential issues.

Continuous Monitoring and Alerting: Implement continuous monitoring and alerting mechanisms to promptly notify administrators of potential threats or performance issues.

Regular Review and Analysis: Regularly review and analyse collected network data to identify trends, patterns, and potential areas for improvement.

Centralized Log Management: Implement a centralized log management system to collect, store, and analyse logs from various network devices and applications.

Network Segmentation: Segment the network into smaller, logical zones to isolate sensitive data and restrict access, making it easier to monitor and control traffic flows.

Security Awareness Training: Educate employees about cybersecurity risks, safe practices, and the importance of reporting suspicious activities.

By implementing these mitigation techniques, organizations can enhance their internal network monitoring capabilities, improve security posture, and maintain network performance.

4. Lack of network segmentation:

Network segmentation is the practice of dividing a computer network into smaller, logical subnetworks, each with its own security controls. This can help to prevent unauthorized access to sensitive data and systems and can also help to contain the spread of malware and other attacks. 

A lack of network segmentation can leave an organization’s network vulnerable to a number of security risks, including:

Lateral movement: Attackers who gain access to one part of the network may be able to move freely throughout the network, compromising other systems and data.

Data breaches: Sensitive data may be more easily accessible to unauthorized users if it is not properly segmented from the rest of the network.

Malware propagation: Malware can spread more easily through a network that is not properly segmented.

Mitigation techniques for lack of network segmentation:

Implement network segmentation: Divide your network into smaller, logical subnetworks, and implement security controls to restrict access between them.

Use firewalls: Use firewalls to control traffic between network segments.

Use intrusion detection and prevention systems (IDS/IPS): Use IDS/IPS to monitor network traffic for suspicious activity and block attacks.

Use access control lists (ACLs): Use ACLs to restrict access to specific network resources.

Use virtual LANs (VLANs): Use VLANs to create logical network segments within a physical network.

Use network access control (NAC): Use NAC to control which devices can access the network and what they can access.

By following these mitigation techniques, you can help protect your network from attacks that exploit a lack of network segmentation.

5. Poor patch management:

Poor patch management is the failure to properly identify, prioritize, and install software updates that address known vulnerabilities. This can leave systems vulnerable to attacks, as attackers can exploit these vulnerabilities to gain unauthorized access to systems or data.

Here are some of the consequences of poor patch management:

Increased risk of cyberattacks: Unpatched systems are more vulnerable to cyberattacks. Attackers can exploit known vulnerabilities to gain unauthorized access to systems or data.

Data breaches: Data breaches can occur if attackers are able to exploit vulnerabilities in unpatched systems. This can lead to the theft of sensitive data, such as customer information or financial data.

Reputational damage: Data breaches and other cyberattacks can damage an organization’s reputation. This can lead to lost customers and business partners.

Compliance failures: Organizations that fail to patch their systems may be in violation of compliance regulations. This can lead to fines and other penalties.

Mitigation techniques for poor patch management:

Create a patch management policy: A patch management policy should outline the process for identifying, prioritizing, and installing patches.

Use a vulnerability scanner: A vulnerability scanner can help to identify vulnerabilities in your systems.

Prioritize patching: Patches should be prioritized based on the severity of the vulnerability and the criticality of the system.

Automate patching: Automating the patching process can help to ensure that patches are installed in a timely manner.

Test patches: Patches should be tested in a non-production environment before they are deployed to production systems.

Monitor patching: Patching should be monitored to ensure that patches are installed successfully.

By following these mitigation techniques, you can help protect your systems from attacks that exploit vulnerabilities in unpatched systems.

6. Bypass of system access controls:

System access controls are security measures that restrict who can access a system and what they can do once they are logged in. These controls are designed to protect sensitive data and prevent unauthorized access. However, there are a number of ways that attackers can bypass system access controls.

Here are some examples of how attackers can bypass system access controls:

Password attacks: Attackers can use brute force attacks or dictionary attacks to guess users’ passwords.

Social engineering: Attackers can trick users into giving them their passwords or other sensitive information.

Exploiting vulnerabilities: Attackers can exploit vulnerabilities in software or applications to gain unauthorized access to systems.

Using stolen credentials: Attackers can use stolen credentials to log in to systems.

Mitigation techniques for bypassing system access controls:

Use strong passwords: Use strong passwords that are at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols.

Enable two-factor authentication: Enable two-factor authentication to require users to enter a second factor, such as a code from their phone, in addition to their password.

Educate employees about social engineering: Educate employees about social engineering attacks and how to protect themselves.

Keep software up to date: Install updates for software and applications as soon as they are available. Updates often include security fixes for vulnerabilities.

Use a vulnerability scanner: Use a vulnerability scanner to identify vulnerabilities in your systems.

Implement a security policy: Implement a security policy that outlines how to secure your systems.

Monitor for suspicious activity: Monitor your systems for suspicious activity, such as failed login attempts or unusual network traffic.

By following these mitigation techniques, you can help to protect your systems from attacks that bypass system access controls.

7. Weak or misconfigured multifactor authentication (MFA) methods

Multi-factor authentication (MFA) is a security measure that requires users to provide multiple pieces of evidence to verify their identity before they can access an account or system. This makes it more difficult for attackers to gain unauthorized access, even if they have stolen a user’s password.

Weak or misconfigured MFA methods can leave systems vulnerable to attacks. Here are some examples of weak or misconfigured MFA methods:

Using SMS text messages as a second factor: SMS text messages can be intercepted by attackers, so they are not a secure way to verify a user’s identity.

Using weak or easy-to-guess security questions: Security questions should be difficult to guess and should not be based on information that is publicly available.

Not requiring MFA for all users: All users should be required to use MFA, especially for privileged accounts.

Not enforcing MFA for all logins: MFA should be enforced for all logins, including remote access and logins from new devices.

Mitigation techniques for weak or misconfigured MFA methods:

Use a strong second factor: Use a strong second factor, such as a hardware token or a biometric factor.

Use strong security questions: Use strong security questions that are difficult to guess.

Require MFA for all users: Require MFA for all users, especially for privileged accounts.

Enforce MFA for all logins: Enforce MFA for all logins, including remote access and logins from new devices.

Use a centralized MFA management system: Use a centralized MFA management system to make it easier to manage and enforce MFA policies.

Educate users about MFA: Educate users about the importance of MFA and how to use it correctly.

By following these mitigation techniques, you can help to protect your systems from attacks that exploit weak or misconfigured MFA methods.

8. Insufficient access control lists (ACLs) on network shares and services:

Insufficient access control lists (ACLs) on network shares and services can lead to unauthorized access to sensitive data and resources. ACLs are a set of rules that define who can access what resources on a network. If ACLs are not properly configured, unauthorized users may be able to access sensitive data, modify data, or even take control of systems.

Here are some examples of how insufficient ACLs can be exploited:

Unauthorized users may be able to access sensitive data, such as customer records or financial information.

Attackers may be able to modify data, such as changing the contents of a website or injecting malware into a system. Attackers may be able to take control of systems, such as using a compromised system to launch attacks against other systems.

Mitigation techniques for insufficient ACLs:

Implement the principle of least privilege: Only grant users the access they need to perform their job duties.

Regularly review ACLs: Regularly review ACLs to ensure that they are still accurate and up to date.

Use a centralized ACL management system: Use a centralized ACL management system to make it easier to manage ACLs across your organization.

Use role-based access control (RBAC): Use RBAC to assign permissions to users based on their roles in the organization.

Use multi-factor authentication (MFA): Use MFA to require users to provide multiple pieces of evidence to verify their identity before they can access sensitive data or resources.

Educate users about ACLs: Educate users about ACLs and how to properly configure them.

By following these mitigation techniques, you can help to protect your systems from unauthorized access due to insufficient ACLs.

9. Poor credential hygiene:

Poor credential hygiene refers to bad practices related to creating, managing, and protecting passwords and other sensitive access credentials. It is a significant cybersecurity risk as it makes it easier for attackers to gain unauthorized access to systems and data.

Examples of poor credential hygiene include:

Using weak or easily guessable passwords: Passwords like “123456” or “password” are easily cracked by brute force attacks.

Reusing passwords across multiple accounts: If one account is compromised, attackers can access other accounts using the same password.

Sharing passwords with others: Sharing passwords increases the risk of unauthorized access.

Writing down passwords on paper or storing them in plain text files: This makes passwords vulnerable to physical theft or accidental exposure.

Not changing passwords regularly: Regular password changes reduce the impact of a compromised password.

Mitigation techniques for poor credential hygiene:

Create strong, unique passwords: Use a combination of upper and lowercase letters, numbers, and symbols. Avoid using personal information or common words.

Use a password manager: Password managers generate and store strong, unique passwords for all your accounts.

Enable multi-factor authentication (MFA): MFA requires additional verification beyond a password, such as a code sent to your phone or a fingerprint scan.

Educate employees about credential hygiene: Train employees on creating strong passwords, avoiding password reuse, and protecting their credentials.

Implement password policies: Enforce password complexity requirements, regular password changes, and account lockout after multiple failed login attempts.

Monitor for password breaches: Use tools to check if your passwords have been compromised in data breaches.

By following these mitigation techniques, organizations can significantly reduce the risks associated with poor credential hygiene and protect their systems and data from unauthorized access.

10. Unrestricted code execution:

Unrestricted code execution, also known as arbitrary code execution, occurs when an attacker can run any code that they want on a target system. This can be done by exploiting vulnerabilities in software or by tricking users into running malicious code. Once an attacker has unrestricted code execution, they can take complete control of the system, steal data, install malware, or launch further attacks.

Here are some examples of how unrestricted code execution can be achieved:

Buffer overflow attacks: These attacks exploit vulnerabilities in software that allow attackers to overwrite memory with malicious code.

SQL injection attacks: These attacks exploit vulnerabilities in web applications that allow attackers to inject malicious SQL statements into the application’s database.

Cross-site scripting (XSS) attacks: These attacks exploit vulnerabilities in web applications that allow attackers to inject malicious JavaScript code into web pages.

Mitigation techniques for unrestricted code execution:

Keep software up to date: Install updates for software and applications as soon as they are available. Updates often include security fixes for vulnerabilities that could be exploited to gain unrestricted code execution.

Use a web application firewall (WAF): A WAF can help to protect web applications from attacks such as SQL injection and XSS.

Implement input validation: Input validation is the process of checking user input to ensure that it is safe. This can help to prevent attacks such as buffer overflows.

Use a sandbox: A sandbox is a secure environment where untrusted code can be run without affecting the rest of the system. This can help to prevent malicious code from harming the system.

Educate employees: Educate employees about cybersecurity risks and how to protect themselves from attacks. This includes teaching them how to identify and avoid phishing scams and other social engineering attacks.

By following these mitigation techniques, you can help protect your systems from attacks that could lead to unrestricted code execution. 

Conclusion:

By addressing these top ten cybersecurity misconfigurations and implementing the recommended mitigation techniques, organizations can significantly enhance their resilience against evolving cyber threats. The collaborative efforts of the NSA and CISA serve as a valuable guide, emphasizing the importance of proactive cybersecurity measures in the digital age. Staying vigilant, continuously adapting security protocols, and fostering a cybersecurity culture will be crucial for safeguarding sensitive information and maintaining the integrity of digital ecosystems in 2024 and beyond. Addressing these top ten cybersecurity misconfigurations requires a concerted effort from both network defenders and software manufacturers. Network defenders must implement the recommended mitigation techniques, while software manufacturers must embrace secure-by-design principles to reduce the prevalence of these misconfigurations. By working together, we can create a more secure cyberspace and protect our valuable data from malicious actors.

Ramu Raju

Ramu Raju

Latest Reads

Subscribe

Suggested Reading

Ready to Unlock Yours Enterprise's Full Potential?

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes