The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently published an article highlighting 10 of the most common cybersecurity misconfigurations, identified by their red and blue teams within the networks of major organizations. In this article, we aim to review each of them, understand how they can affect an organization’s overall security, and most importantly, how to mitigate them.
Part 2. Network Access, Authentication, and Supervision
In our last blog post, we introduced the first half of the NSA and CISA’s top 10 cybersecurity misconfigurations and how to mitigate them, focusing on configuration, permissions, and access control. This week, we will conclude our discussion by covering the second half of the top cybersecurity misconfigurations, focusing on network access, authentication, and supervision.
6. Lack of Network Segmentation
Network segmentation is a critical security practice that establishes boundaries within a network between user, production, and critical system. Inadequate or absence of proper segmentation can allow an attacker, who has compromised a resource on the network, to move laterally across various systems without encountering obstacles and gain unauthorized access to other systems or resources within the same network, increasing the vulnerability to ransomware attacks and post-exploitation techniques.
Separate Your Environments
Divide your network into distinct segments or environments based on their functions or purposes, for example, have separate environments for production (where live data and applications reside), pre-production (for testing changes before deployment), and development (for ongoing software development and experimentation). By segregating these environments, access to resources and services can be controlled more granularly and reduce the risk of unauthorized access or interference between different stages of development and deployment.
Segment Your Network
Use a combination of technologies such as firewalls and Virtual Local Area Network (VLANs) to enforce security boundaries between different segments of your network. Firewalls help regulate and monitor traffic between network segments, allowing you to define and enforce specific rules for communication. VLANs allow logically segment a single physical network into multiple virtual networks, each with its own set of rules and access controls. Used in combination, these provide layers of defense that help prevent unauthorized access and contain potential security breaches.
Implement Air-Gapped Networks
For highly sensitive or classified environments where the risk of cyber threats is exceptionally high, implementing air-gapped networks is crucial, physically isolated from external networks, meaning no connections to the Internet or other external public networks. Such isolation significantly reduces the risk of remote cyber-attacks and unauthorized data exfiltration. However, maintaining air-gapped networks can be challenging due to limitations on data transfer and accessibility.
7. Insufficient Internal Network Monitoring
Regularly auditing and monitoring your network is essential for maintaining visibility into network activity, detecting anomalies or suspicious behavior, and ensuring compliance with security policies. By deploying robust monitoring tools and conducting periodic audits, you can identify potential security gaps, unauthorized access attempts, or misconfigurations that may compromise the integrity of your network segmentation strategy. Additionally, proactive monitoring enables quick response to security incidents and helps prevent potential data breaches or system compromises.
Implement Continuous Monitoring
We recommend implementing a vendor-agnostic, supervision solution like ISEC7 Sphere, often compared with Security Information and Event Management (SIEM) solutions. Event log monitoring and management is only one integral component of ISEC7 Sphere, which is used to collect, aggregate, correlate, and analyze security event data from many types of systems, from web and mail servers to Unified Endpoint Management (UEM) solutions, as well as cybersecurity suites used for Threat Detection, Prevention and Response (EPP, EDR, and MTD). Data is sent to or collected from ISEC7 Sphere from the following sources: hardware devices, virtual machines, security appliances, and software and services running within the solution network(s), offering Continuous Monitoring of the whole infrastructure.
Perform A Cryptographic Inventory
Perform a cyber risk discovery and cryptographic inventory using a cryptographic monitoring and risk assessment tool like Quantum Xchange™ CipherInsights, to monitor your network and identifies cryptographic vulnerabilities in real time, including unencrypted traffic, clear-text passwords, expired certificates, self-signed intermediate certificate authorities, insecure encryption, providing a clear understanding of your cybersecurity posture and a prioritized list of risk mitigation to maintain compliance, pass audits, and better prepare for the inevitable migration to Post-Quantum Cryptography (PQC).
8. Poor Patch Management
The release of patches and updates by hardware and software vendors allows to address security vulnerabilities, but inadequate patch management practices, characterized by irregular patching schedules and the utilization of unsupported operating systems (OSs) and outdated firmware, create opportunities for malicious actors to identify and exploit open attack vectors and critical vulnerabilities.
Proactive and consistent patching practices, combined with the use of approved, up-to-date, and supported software and firmware, help maintain a robust security posture and mitigate potential threats.
Common Vulnerability and Exploit (CVE)
ISEC7 Sphere collects Common Vulnerability and Exploit (CVE) for monitored systems from the National Vulnerability Database (NVD), a public vulnerability repository maintained by the Cybersecurity & Infrastructure Security Agency (CISA), that provides information about known vulnerabilities. ISEC7 Sphere displays them under the affected system and can consider that information to calculate the server status. Administrators can easily click on said CVEs to review them, then acknowledge them once installed on the corresponding systems.
Example of CVE monitoring results for an affected Ivanti EPMM server under ISEC7 Sphere.
Security Patch Revisions
ISEC7 Sphere can also display a chart with the number of mobiles devices that are operating using security patch levels of the given timeframes in months, helping quickly identify which devices need to be updated, to not only improve the device’s overall performance, but most importantly, ensure said devices remain safe and protected from potential security threats.
9. Poor Credential Hygiene
Poor credential hygiene encompasses the use of easily guessable or hackable passwords and the disclosure of passwords in clear text, creating vulnerabilities that enable malicious actors to acquire credentials for various malicious activities, such as initial access, persistence, or lateral movement.
Review Your Password Policy
The National Institute of Standards and Technology (NIST), a U.S. government agency that develops standards and guidelines to promote technology, cybersecurity, and innovation across various industries, provides guidelines for digital identity authentication in its Special Publication 800-63-3, one of the key areas covering password requirements, suggesting a minimum password length of 8 characters and discouraging arbitrary complexity rules, but instead, use all ASCII characters, including spaces, as well as emphasize screening against commonly used passwords and dictionary words. Importantly, against what most IT professionals have been taught for so long, and as enforced by many software vendors and organizations, frequent password changes should be avoided, as this practice can lead to weaker passwords. Use of longer, easy-to-remember passphrases, enabling users to create strong but memorable credentials, should be promoted.
“No Passwords Are Good Passwords”
Passwordless authentication mechanisms have gained popularity as alternatives to traditional password-based authentication due to their enhanced security and user convenience, offering stronger security, reduced password-related risks (like phishing), enhanced user experience, and streamlined access through biometrics, tokens, or device-based methods. Such mechanisms include biometric authentication, Multi-Factor Authentication (MFA) without password, Public Key Infrastructure (PKI), Mobile Device-Based Authentication, External Security Keys and FIDO2 passkeys.
10. Weak or Misconfigured Multifactor Authentication (MFA) Methods
Multi-Factor Authentication (MFA) is an authentication method, part of the Identity and Access Management (IdAM) framework, that requires a user to present two or more pieces of evidence (or factors) to authenticate, including something a user knows (ex: credential), something a user physically possess (ex: mobile device, hardware token…), or something a user is (ex: biometrics).
MFA as Mandatory
Making it mandatory for all employees, particularly those with privileged access, is key to reenforcing the cybersecurity defenses of your organization. Privileged accounts represent high-value targets for malicious cyber actors seeking unauthorized access to critical systems and sensitive data. By enforcing MFA, organizations add an additional layer of security beyond passwords, significantly reducing the risk of account compromise due to phishing, brute force attacks, or stolen credentials.
Phishing-Resistant MFA
But while implementing MFA is a crucial measure in mitigating the risk posed by cyber threat actors who exploit compromised credentials to infiltrate networks and carry out malicious actions, it is important to highlight that not all types of MFA offer the same level of security.
The U.S. Cybersecurity and Information Security Agency (CISA) encourages organizations to adopt phishing-resistant MFA, like Fast Identity Online (FIDO) and Web Authentication (WebAuthn) standards for passwordless and strong authentication, or Public Key Infrastructure-based (PKI-based) MFA which combines PKI technology with MFA methods for secure user authentication.
What To Do Next?
Now that we’ve covered the second half of the NSA and DISA’s top 10 cybersecurity misconfigurations and recommendations, including separate your environments and segment your network, audit, and monitor your network, use proactive and consistent patching practices, review your password policy, and make MFA mandatory, you may be wondering how to best go about implementing these changes.
Improve your security posture by implementing a management and monitoring solution like ISEC7 Sphere to monitor your whole mobile infrastructure, including back-end messaging servers, EMM/UEM solutions, IoT devices and all employees’ endpoints, from desktop computers to mobile devices.
