The NSA & CISA Advise American Business and Orgs on How To Prevent Common Security Breaches
If anyone needs advice during National Cybersecurity Awareness Month, it's American business and state governments.
The NSA and CISA can't permanently play whack-a-mole for them. Business, state governments and large orgs can profit themselves and the nation by taking cost saving measures to defend themselves, and thus, government networks they connect to.
(Lookin' at you, Microsoft, Apple, Google, Amazon.)
EXECUTIVE SUMMARY
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.
Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:
Default configurations of software and applications
Improper separation of user/administrator privilege
Insufficient internal network monitoring
Lack of network segmentation
Poor patch management
Bypass of system access controls
Weak or misconfigured multifactor authentication (MFA) methods
Insufficient access control lists (ACLs) on network shares and services
Poor credential hygiene
Unrestricted code execution
These misconfigurations illustrate (1) a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and (2) the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders:
Properly trained, staffed, and funded network security teams can implement the known mitigations for these weaknesses.
Software manufacturers must reduce the prevalence of these misconfigurationsthus strengthening the security posture for customersby incorporating secure-by-design and -default principles and tactics into their software development practices.[1]
NSA and CISA encourage network defenders to implement the recommendations found within the Mitigations section of this advisoryincluding the followingto reduce the risk of malicious actors exploiting the identified misconfigurations.
Remove default credentials and harden configurations.
Disable unused services and implement access controls.
Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.[2]
Reduce, restrict, audit, and monitor administrative accounts and privileges.
NSA and CISA urge software manufacturers to take ownership of improving security outcomes of their customers by embracing secure-by-design and-default tactics, including:
Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
Eliminating default passwords.
Providing high-quality audit logs to customers at no extra charge.
Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.[3]
For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CKs Best Practices for MITRE ATT&CK Mapping and CISAs Decider Tool.[6],[7]
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
Tetrachloride
(7,847 posts)No profanity
I bet a lot was left out
ancianita
(36,068 posts)usonian
(9,813 posts)And customers pay for it.
A data breach screws you even if you use only paper and pen.
ancianita
(36,068 posts)They won't admit their past cheaping on a survival priority, but they'll be paying attention to this once just one fellow competitor goes down internally, and these federal entities won't "help" them.
usonian
(9,813 posts)It's welfare for the lazy and cheap.
The govt. has been pushing standards and best practices, knowing that a snowball effect could be devastating. The govt. and all of us are justified in demanding more and demanding better.
With all the talk about AI, I recall when the Snort Intrusion Detection System was released (1998). That used some simple intelligence to detect attacks.
Presumably, some is built into network appliances used in organizations (who knows if they are used?)
One could do a lot more to detect anomalies and to monitor simple but often deadly attack vectors, like calls to the help desk ( "could I get the password to such and such account?" ) and internal actions that might have consequences. That's the one case where I'll support a bot assisting in daily work, if people aren't going to be really smart and cautious on their own (or they're under pressure to crank out the work)
"Please bail me out".
again
ancianita
(36,068 posts)Joint Warfighting Cloud Capability makes me nervous.
https://www.defense.gov/News/News-Stories/Article/Article/3243483/department-names-vendors-to-provide-joint-warfighting-cloud-capability/
If they gave this info to the NSA and CISA, they've been of some help, but I doubt this info originated with them.