Cyber attackers regularly exploit unpatched software vulnerabilities, but they “routinely” target security misconfigurations for initial access, so the US Cybersecurity and Infrastructure Security Agency (CISA) and its peers have created a to-do list for defenders in today’s heightened threat environment.
CISA, the FBI and National Security Agency (NSA), as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK, have compiled a list of the main weak security controls, poor configurations, and poor security practices that defenders should implement to thwart initial access. It also contains the authorities’ collective recommended mitigations.
“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” CISA says.
The list of actions includes all obvious candidates, such as enabling multi-factor authentication (MFA) on key systems, such as virtual private networks (VPNs), but which are prone to misconfigurations when implemented in complex IT environments.
For example, last year Russian hackers combined a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers. This complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck.
Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system.
The security controls outlined in CISA’s list serve as a useful checklist for organizations, many of which deployed remote-working IT infrastructure hastily due to the pandemic, and amid today’s heightened geopolitical tensions due to Russia’s invasion of Ukraine. It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year’s cyberattack against Viasat’s European satellite broadband users.
As noted in the joint alert, attackers commonly exploit public-facing applications, external remote services, and use phishing to obtain valid credentials and exploit trusted relationships and valid accounts.
The joint alert recommends MFA is enforced for everyone, especially since RDP is commonly used to deploy ransomware. “Do not exclude any user, particularly administrators, from an MFA requirement,” CISA notes.
Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects.
Of course, make sure software is up to date. But also don’t use vendor-supplied default configurations or default usernames and passwords. These might be ‘user friendly’ and help the vendor deliver faster troubleshooting, but they’re often publicly available ‘secrets’. The NSA strongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance.
“Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup,” CISA notes. “These default credentials are not secure – they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software.”
CISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to reduce risks. Also, put the VPN behind a firewall, and use IDS and IPS sensors to detect suspicious network activity.
Other key problems include: strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response.
CISA’s recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management.
CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on this aim.
The full list of security ‘don’ts’ includes:
- Multifactor authentication (MFA) is not enforced.
- Incorrectly applied privileges or permissions and errors within access control lists.
- Software is not up to date.
- Use of vendor-supplied default configurations or default login usernames and passwords.
- Remote services, such as VPNs, lack sufficient controls to prevent unauthorized access.
- Strong password policies are not implemented.
- Cloud services are unprotected.
- Open ports and misconfigured services are exposed to the internet.
- Failure to detect or block phishing attempts.
- Poor endpoint detection and response.