Top 10 configuration flaws identified by CISA expose underlying vulnerabilities in systems
In a recent advisory, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have emphasized the importance of secure-by-design principles to combat common cybersecurity misconfigurations in large organizations.
The advisory identifies the top 10 weaknesses, including default software and application configurations, insufficient internal network monitoring, poor patch management, and weak or misconfigured multi-factor authentication (MFA), among others. Cybersecurity experts and analysts consider these weaknesses as basic standards and best practices.
Katell Thielemann, a distinguished VP analyst at Gartner, notes that these misconfigurations haven't changed much over the past decade, and no cybersecurity professional should be surprised by them. However, she expresses concern about the ability of large organizations to handle these issues, potentially posing challenges for small- and medium-size enterprises as well.
Heath Mullins, a senior analyst at Forrester, advises addressing these shortcomings from day one, including hard-coded passwords, identity configuration drift, asset protection, and network access. The advisory recommends the elimination of passwords, mandates multi-factor authentication, and requires high-quality audit logs at no additional cost.
To improve cybersecurity outcomes, the NSA and CISA recommend several key measures for software manufacturers. These include comprehensive software attack auditing, advanced software hardening and rewriting, formal verification, configuration hardening guidance, unified malware analysis platforms, and adherence to cybersecurity supply chain risk management.
These measures aim to encourage software manufacturers to adopt rigorous auditing, modern formal verification, advanced hardening techniques, secure configuration baselines, and integrated analysis tools to improve software security and reduce common misconfigurations in large organizational environments.
Thielemann acknowledges that the basic principles of cybersecurity aren't as simple to implement as one might think due to the complexities of the real world. Heath Mullins views the report as a wake-up call for leadership, as these issues are very common and widespread, and not clearly understood to someone without a wide and deep understanding of security practices.
The advisory issues a call for software manufacturers to take ownership of improving security outcomes for their customers. The NSA and CISA's advisory about systemic weaknesses in large organizations' network infrastructure serves as a reminder that cybersecurity is everyone's responsibility, and proactive measures are essential for a secure digital future.
[1] Comprehensive software attack auditing, advanced software hardening and rewriting, formal verification, and unified malware analysis platforms. [2] Adherence to cybersecurity supply chain risk management. [3] Configuration hardening guidance. [4] Examples: Kubernetes hardening guidance and specific configuration recommendations for software like Adobe Acrobat Reader. [5] Executive orders endorsed by NSA emphasizing compliance with NIST supply chain risk management standards, including security testing and acquisition protocols.
- The advisory from the NSA and CISA recommends that software manufacturers should implement comprehensive software attack auditing, advanced software hardening and rewriting, formal verification, and unified malware analysis platforms to improve software security and reduce misconfigurations.
- In order to ensure secure network infrastructure for their customers, the NSA and CISA's advisory calls for software manufacturers to adhere to cybersecurity supply chain risk management, which includes endorsing executive orders emphasizing compliance with NIST supply chain risk management standards.
- To help large organizations secure their networks, the advisory also provides configuration hardening guidance, such as Kubernetes hardening guidance and specific configuration recommendations for software like Adobe Acrobat Reader.
