A joint advisory released by the National Security Agency and Cybersecurity and Infrastructure Security Agency listed 10 of the most common misconfigurations in enterprise IT defense and how to mitigate risks arising from such cases.
The list includes default software and application configurations, improper user and administrator privilege separation and insufficient monitoring of internal networks, according to the advisory released Thursday.
NSA and CISA found that some organizations lack network segmentation, effective patch management and access control lists on shared networks and services. In other cases, system access controls are bypassed, multifactor authentication tools and user credentials are weak and code executions lack restrictions.
The agencies urged network defenders to strengthen configurations, implement access controls, prioritize patching of commonly exploited vulnerabilities and monitor and reduce administrative privileges.
For software manufacturers, the NSA and CISA Red and Blue Teams pushed for the adoption of secure-by-design and -default principles to reduce cyber threats and their burden on network defenders.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, echoed the call for practicing secure-by-design tactics. “While enterprises can and must take steps to identify and address these misconfigurations, we know that scalable progress requires urgent action by software manufacturers, particularly by adopting Secure by Design practices where software is designed securely from inception to end-of-life and by taking ownership to improve security outcomes of their customers,” Goldstein wrote in a blog post.
On Nov. 15, the Potomoc Officers Club will gather homeland and national security officials and experts for the 2023 Homeland Security Summit in Virginia. Register now to participate in the event.