The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently published an article highlighting 10 of the most common cybersecurity misconfigurations, identified by their red and blue teams within the networks of major organizations. In this article, we aim to review each of them, understand how they can affect an organization’s overall security, and most importantly, how to mitigate them.
Part 1) Configuration, Permissions, Access Control
In the dynamic landscape of cybersecurity, effective configuration management and access control are paramount for safeguarding digital assets and maintaining system integrity.
1. Default Configurations of Software and Applications
Commonly used commercial network equipment such as router, firewall, Voice over IP (VoIP) cameras and other network-connected devices, come preconfigured with default credentials for the integrated administrative accounts used to managed them through a dedicated application or a web portal.
While this is convenient for the first-time access to such device, malicious actors can exploit these default credentials through various methods, from a simple online search to manipulating predictable forgotten password questions to reset built-in administrative accounts. Same happens with enterprise (web) applications, in which built-in administrative credentials are publicly available as part of the setup documentation, and if exploited would allow unauthorized access to both the application and its underlying database.
Also, some services may possess default access controls that are excessively permissive or configurations that are inherently vulnerable. Furthermore, even in cases where providers do not activate these services by default, malicious actors can readily exploit them if users or administrators choose to enable these services intentionally.
To address the risks associated with default credentials and improve overall security posture, organizations should take the following actions.
Eliminate Default Credentials
Organizations should proactively eliminate default credentials, often set by manufacturers or software providers across their systems and devices, as these are well-known to attackers and can be easily exploited to gain unauthorized access to systems and sensitive data, especially Internet-facing systems and appliances like firewalls, gateways… Replacing them with stronger, unique passwords can significantly reduce the risk of unauthorized access and potential security breaches.
Use Password Managers
Implementing a password manager is a practical and effective solution for securely managing and sharing credentials internally, when necessary, as they provide a centralized platform for storing, generating, and organizing passwords. They offer features such as zero-knowledge encryption, password strength assessment, and secure sharing functionalities, helping organizations enforce password complexity requirements and securely share credentials among authorized users without compromising security, and by doing so strengthen their security defenses, mitigate the risk of unauthorized access, and promote secure password management practices across their networks and systems.
Harden Configurations
Hardening configurations involves tasks such as disabling unnecessary services and features, removing, or disabling default accounts and passwords, applying security patches and updates regularly, configuring firewalls and intrusion detection/prevention systems, and enabling logging and monitoring mechanisms. These actions help organizations reduce the attack surface and make it more difficult for malicious actors to exploit vulnerabilities and gain unauthorized access to systems and data.
Change Permissions
The Principle of Least Privilege (PoLP) dictates that users and processes should only be granted the minimum level of access necessary to perform their required tasks or functions. Following this principle, organizations should carefully review and adjust permissions across their systems, applications, and data repositories and assign permissions based on user roles and responsibilities, ensuring that users have access only to the resources and data required to fulfill their job functions.
Disable Unused Accounts and Services
Disabling unused accounts and services is essential for reducing the attack surface and minimizing security risks within an organization's IT infrastructure. Accounts associated with former employees or unused services represent potential security liabilities, as they may be targeted by malicious actors seeking unauthorized access. Therefore, organizations should regularly audit their user accounts and service configurations to identify and disable any that are no longer needed. Additionally, implementing automated account management processes and service discovery tools can help ensure timely identification and deactivation of unused accounts and services, thereby enhancing overall security posture and reducing the likelihood of unauthorized access and compromise.
2. Improper Separation of User/Administrator Privilege
Administrators frequently assign multiple roles to a single account, granting extensive access to various devices and services, which poses a security risk as malicious actors can efficiently move through a network using a compromised account without triggering detection measures for lateral movement or privilege escalation. Common misconfigurations in account separation observed by assessment teams include excessive account privileges (user can view and modify things he should not), elevated permissions for service accounts, and the non-essential use of elevated accounts; these underscore the importance of implementing robust account separation strategies to enhance overall security posture.
In the effort to rectify the improper separation of user and administrator privileges, several critical measures are essential.
Protect Privileged Accounts
First, employ separate accounts for distinct purposes: one dedicated to normal day-to-day, non-administrative activities like email correspondence, general computing tasks, and accessing standard applications, and another specifically designated for administrative operations. In some environments, such accounts are even separated at the domain level, meaning user accounts reside in one domain and administrator accounts in another.
With Permissions, Less Is More
Second, organizations should ensure that users do not possess unnecessary permissions that could potentially be exploited by attackers or lead to accidental data breaches, following the Principle of Least Privilege (PoLP), a fundamental concept in cybersecurity and access control that advocates for granting the minimum level of access or permissions necessary to perform specific functions or tasks effectively, such as accessing web consoles, configuring system settings, or installing software updates, ensuring users do not inadvertently obtain administrative privileges, mitigating the risk of unauthorized system alterations and enhancing overall security.
One Solution, One Account
Third, organizations should utilize separate service accounts for each application or web service utilized within their infrastructure, including Unified Endpoint Management (UEM) systems, databases, and other enterprise-level software solutions. By employing dedicated service accounts, organizations can tightly control access permissions and track activities associated with each application or service, minimizing the potential impact of security breaches, and ensuring accountability across the system landscape. This approach strengthens security protocols, reduces the risk of unauthorized access, and improves the overall organization’s security and integrity.
Review Permissions Periodically
Finally, organizations should also conduct periodic reviews of accounts permissions to detect any anomalies, suspicious activities, or unauthorized access elevations within their systems, systematically examining the permissions assigned to individual user and service accounts, assessing whether they align with their roles and responsibilities, and identifying any discrepancies or instances of excessive access. Implementing a Privileged Access Management (PAM) solution offers the possibility not only to authorize/control and monitor/audit, in real-time, all privileged user accounts on all relevant back-end systems, helping reduce the risks and vulnerabilities produced by human mistakes or negligence, as well as possible misuse by impersonation from a malicious actor.
3. Unrestricted Code Execution
Allowing unverified programs to execute on hosts presents a significant risk as threat actors can infiltrate networks by running arbitrary, malicious payloads. Following initial access, typically obtained through tactics like phishing, malicious actors commonly exploit unrestricted code execution methods, including executables, DLLs, HTML applications, macros, and scripting languages, to establish access, persistence, and lateral movement within networks, employing techniques like obfuscation and bypassing allowlisting to obscure actions and evade detection. Attackers may also exploit known vulnerabilities in drivers to execute code in the kernel, achieving complete device compromise.
Restrict Code Execution
By enabling system settings that restrict the execution of applications downloaded from untrusted sources, organizations can mitigate the risk of malware infiltration and unauthorized software installations. These settings, often found in operating system configurations or endpoint security solutions, help prevent users from inadvertently running malicious or potentially harmful applications obtained from the internet or other untrusted sources.
Use Application Control Tools
Application control tools, such as allowlisting solutions, enable organizations to specify which programs are permitted to run on their systems. By default, all programs are blocked from execution unless explicitly allowed by the organization's security policies. This approach helps prevent unauthorized or malicious software from running on endpoints, reducing the likelihood of malware infections, data breaches, and system compromise.
Block Vulnerable Drivers
Vulnerable device drivers represent potential security weaknesses that adversaries can exploit to execute malicious code in kernel mode, the highest privilege level in an operating system. To mitigate this risk, organizations should implement measures to block or prevent the execution of known vulnerable drivers. This may involve regularly updating drivers to patched versions, implementing driver signature verification mechanisms, and monitoring for indicators of compromise related to driver exploitation.
Restrict Scripting Languages
Scripting languages, such as PowerShell, VBScript, and JavaScript, can be abused by adversaries to facilitate malicious activities, including lateral movement, data exfiltration, and system compromise. Organizations can mitigate these risks by constraining the use of scripting languages through policy enforcement mechanisms, such as group policies or endpoint security solutions. Additionally, organizations should regularly audit script logs to detect and investigate suspicious or unauthorized activities. Restricting the use of scripting languages that are not essential to business operations further reduces the attack surface and helps prevent potential exploitation by adversaries.
4. Bypass of System Access Control
Malicious actors have the capability to circumvent traditional system access controls by exploiting alternative authentication methods within an environment. This means that even if standard access controls and authentication mechanisms are robustly implemented and protected, there might still exist other avenues or methods for users to gain unauthorized access to systems, networks, or sensitive data.
Limit Credential Overlap Across Systems
Credential overlap refers to the practice of using the same username and password combination across multiple systems or accounts. When credentials are reused across various systems, the compromise of one set of credentials can potentially lead to unauthorized access to other systems or services within the network. To mitigate this risk, organizations should enforce policies that discourage or prohibit the reuse of credentials across different accounts or systems. By limiting credential overlap, organizations can reduce the impact of credential compromise and hinder a malicious actor's ability to move laterally through the network.
Monitor Non-Standard Logon Events
Monitoring non-standard logon events involves tracking and analyzing authentication attempts that deviate from established patterns or norms. Host log monitoring tools and techniques enable organizations to monitor login activities, identify unusual or suspicious logon events, and respond promptly to potential security incidents. By implementing robust log monitoring capabilities, organizations can detect unauthorized access attempts, insider threats, and other malicious activities that may compromise system security.
Limit the Use of Local Administrator Groups
Granting domain users membership in the local administrator group on multiple systems can increase the risk of unauthorized system access and privilege escalation in the event of credential compromise. Organizations should restrict domain users' membership in the local administrator group to only the systems where such privileges are necessary for their roles or tasks, reducing the potential impact of security incidents and better control access to critical resources.
Limit the Use of Privileged Accounts
Privileged accounts, such as those belonging to system administrators or IT personnel, have elevated access rights and capabilities within the IT infrastructure. To minimize the risk of privilege misuse or abuse, organizations should restrict the use of privileged accounts to systems and tasks that specifically require those privileges, reducing the possibility d of unauthorized access, limit the scope of potential security breaches, and enhance overall system security.
5. Insufficient Access Control Lists (ACLs) on Network Shares and Service
Data shares and repositories represent key targets for malicious actors due to the sensitive information they contain. Inadequate configuration of Access Control Lists (ACLs) by network administrators can inadvertently permit unauthorized users to access confidential or administrative data stored on shared drives, posing significant security risks as they could collect and extract sensitive data, which they leverage for diverse purposes like extorting organizations or strategizing future network breaches.
Assessment teams commonly discover valuable information on network shares, including clear-text credentials for service accounts, web applications, and even domain administrators. This data not only facilitates subsequent malicious activities but also exposes organizations to heightened risks of extortion and compromised network integrity.
Strengthen Access to Resources
Utilize strong authentication mechanisms such as multi-factor authentication (MFA) to verify the identity of users accessing storage devices and network shares and regularly review and update access control lists (ACLs) to reflect changes in user permissions and organizational roles, thereby minimizing the risk of unauthorized access.
Audit, Identify, and Revoke Access
Granting users only the minimum level of access required to perform their job functions, and regularly audit user permissions and privileges to identify and revoke unnecessary access rights, reducing the potential attack surface and mitigating the risk of insider threats. It is also recommended to implement Role-Based Access Control (RBAC) mechanisms to streamline access management and enforce granular permissions based on users' roles and responsibilities within the organization.
Restricting Permissions
Enforce restrictive file and directory permissions to prevent unauthorized users from reading, writing, or executing sensitive data and system files, and enable file system auditing capabilities to track changes to file and directory permissions, facilitating timely response to security incidents and unauthorized access attempts.
Conclusion
Now that you know the first half of the NSA and CISA’s 10 most common cybersecurity misconfigurations and their accompanying recommendations – avoid default configurations, separate user and administrator privileges, restrict code execution, monitor and limit system access controls, and strengthen authentication methods – our next blog post will cover the second half of the top 10 cybersecurity misconfigurations focusing on network access, authentication, and supervision.
