Top 10 security misconfigurations revealed in advisory from NSA and CISA to enhance software security
The agencies emphasised the need for ‘secure by design’ principles in cybersecurity and offered recommendations, including eliminating default passwords and enhancing multifactor authentication, to address these vulnerabilities.
A recent advisory from two prominent cybersecurity and intelligence agencies sheds light on the common pitfalls in software configuration that can render products susceptible to hacking. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly released a list of the top 10 security misconfigurations frequently encountered in software offerings. This initiative aims to underscore the importance of embracing ‘secure by design’ principles promoted by cybersecurity agencies to ensure software is equipped with essential safeguards right from the start.
The top 10 most prevalent network configurations discovered during Red and Blue team assessments and by NSA and CISA Hunt and Incident Response teams include:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
To address these issues, the agencies have put forth recommendations for manufacturers, such as the elimination of default passwords in products or applications, providing customers with high-quality logging tools at no extra cost, and making multi-factor authentication the default login method.
They also encourage personnel responsible for product security oversight to remove default login credentials and stay vigilant about regular patch installations.
Notably, efforts to enhance security configurations extend to medical devices, with the recent implementation of new cybersecurity mandates by the Food and Drug Administration (FDA) in the USA.