Malicious cyber actors often exploit common weak security controls, poor configurations, and inadequate security practices to gain access to networks, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and allied nations said in a new alert.
The top 10 system weaknesses that cyber actors exploit include the following:
- Multifactor authentication (MFA) is not enforced.
- Incorrectly applied privileges or permissions and errors within access control lists.
- Software is not up to date.
- Use of vendor-supplied default configurations or default login usernames and passwords.
- Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access.
- Strong password policies are not implemented.
- Cloud services are unprotected.
- Open ports and misconfigured services are exposed to the internet.
- Failure to detect or block phishing attempts.
- Poor endpoint detection and response.
“As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.”
Mitigations include the following:
Control access.
- Adopt a zero-trust security model. Zero-trust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.
- Limit the ability of a local administrator account to log in from a remote session (e.g., deny access to this computer from the network) and prevent access via an RDP session.
- Control who has access to your data and services (aka principle of least privilege). Give personnel access only to the data, rights, and systems they need to perform their job.
- Harden conditional access policies. Review and optimize VPN and access control rules to manage how users connect to the network and cloud services.
Verify that all machines, including cloud-based virtual machine instances do not have open RDP ports.
Implement Credential Hardening.
- Implement MFA. In particular, apply MFA on all VPN connections, external-facing services, and privileged accounts.
- Change or disable vendor-supplied default usernames and passwords. Enforce the use of strong passwords.
- Set up monitoring to detect the use of compromised credentials on your systems. Implement controls to prevent the use of compromised or weak passwords on your network.
Establish Centralized Log Management.
- Ensure that each application and system generates sufficient log information. By implementing robust log collection and retention, organizations are able to have sufficient information to investigate incidents and detect threat actor behavior.
Employ Antivirus Programs.
- Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
- Monitor antivirus scan results on a routine basis.
Employ Detection Tools and Search for Vulnerabilities.
- Implement endpoint and detection response tools. These tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
- Employ an intrusion detection system or intrusion prevention system to protect network and on-premises devices from malicious activity.
- Conduct penetration testing to identify misconfigurations.
- Conduct vulnerability scanning to detect and address application vulnerabilities.
- Use cloud service provider tools to detect overshared cloud storage and monitor for abnormal accesses.
Maintain Rigorous Configuration Management Programs.
- Always operate services exposed on internet-accessible hosts with secure configurations.
Initiate a Software and Patch Management Program.
- Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities. Prioritize patching known exploited vulnerabilities.
