With more of the world relying on technology to connect and maintain business continuity over the last two years, malicious cyber actors have stepped up their game to exploit weaknesses in organizations’ IT infrastructure and conduct a broad range of attacks against both public and private entities.
However, network defenders and IT professionals can stop many of these attacks in their tracks by strengthening security controls, property configuring systems and practicing good cybersecurity hygiene, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies from the UK, Canada, New Zealand, and the Netherlands.
The advisory lays out 10 weaknesses that are commonly found during investigations into network breaches, including a lack of multi-factor authentication and other poor credential practices, misconfigured ports, poor access controls and other mistakes that can easily be avoided, much of which boils down to end user training and education.
For attackers, exploiting these weaknesses isn’t all that difficult, as much of the weakness comes from either user error for a poorly configured security infrastructure.
1. Multi-factor authentication is not enforced
For credential-stealing attacks, multi-factor authentication (MFA) is a tried and true method of keeping accounts secure, forcing anyone logging in to produce another form of authentication. Per the advisory, this is critically important for Remote Desktop Protocol, one of the most common infection vectors for ransomware. Administrators accounts especially should be configured with MFA.
2. Incorrectly applied privileges or permissions and errors with access control lists
Organizations should follow the principle of least privilege, which essentially means giving users just enough access to systems they need to do their job effectively. For example, a non-IT end user should not have administrator access, and should not be able to make changes to the organization’s IT infrastructure or move laterally.
3. Software is not up to date
When organizations don’t update software in a timely manner, they are opening themselves up to vulnerabilities in the software that were patched in the recent releases. Hackers are quick at leveraging newly discovered vulnerabilities once they are published, so admins need to be just as quick at patching their software.
4. Use of vendor-supplied default configurations or default credentials
A lot of the software and hardware an organization deploys comes out of the box with default usernames and passwords and overly permissive default configurations designed to make the products user-friendly, but those can lead to compromise if they aren’t reset and made more secure after deployment. This includes network devices, many of which use default administrator credentials to make setup easier, such as “admin” for both username and password. That, of course, is not hard to guess.
5. Unsecured remote services, such as a virtual private network
According to CISA, hackers have stepped up their attacks against remote services in recent years due to remote and hybrid work. Many of those services, including virtual private networks (VPN), need to be secure with MFA, a boundary firewall and intrusion detection systems.
6. Weak password policies
Enforcing strong password policies is one of the easiest ways organizations can help prevent cyberattacks, as hackers use a variety of different methods to gain initial access, including simply guessing passwords or using leaked passwords to try against a user’s other accounts. This is a common strategy when targeting RDP, according to CISA.
7. Unprotected and misconfigured cloud services
With organizations doing most of their work via the cloud these days, it’s important to make sure those services are properly configured and secured. Poor configurations can lead to data theft and cryptojacking, CISA says.
8. Open ports and misconfigured services exposed online
CISA calls this one of the most commonly exploited weakness, as malicious actors use scanning tools to find open ports to use as an initial access vector, with successful compromise potentially leading to gaining access to RDP and other high-risk services.
9. Poor email security
Phishing remains one of the most widely used attack methods, so organizations should deploy tools that block phishing attempts and scan attachments for malware before they are opened.
10. Poor endpoint detection and response
Hackers often use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls, making it difficult for admins to detect attackers, according to CISA.
How to fix these issues?
CISA recommends controlling access and hardening policies, hardening credentials, keeping detailed logs, deploying antivirus and detection tools, and maintaining a patch management program, among other steps. Read the advisory for more information.
Leave a Reply