WatchGuard Blog

Top 10 Misconfigurations according to CISA

Misconfigurations leave the door open to cybercriminals, which can lead to a range of serious problems, unauthorized access, loss of sensitive information, and disruption of services. In fact, many major data breaches are caused by misconfigurations. 

Alert to these dangers, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) recently released a joint advisory to warn about the most common cybersecurity misconfigurations in large organizations. The advisory is alarming, highlighting that even organizations with a mature security posture are also beset by these issues. 

What is a misconfiguration, and which are the most common network misconfigurations? 

The National Institute of Standards and Technology (NIST) defines a misconfiguration as "an incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities."  

Based on NSA and CISA Red and Blue team assessments, as well as the activities of their Hunt and Incident Response Teams, these agencies identified the following 10 most common network misconfigurations:    

  1. Use of default configurations of software and applications 
  2. Improper separation of user/administrator privilege 
  3.  Insufficient internal network monitoring 
  4. Lack of network segmentation 
  5. Poor patch management 
  6. Bypass of system access controls 
  7. Weak or misconfigured multifactor authentication (MFA) methods 
  8. Insufficient access control lists (ACLs) on network shares and services 
  9. Poor credential hygiene 
  10. Unrestricted code execution 

The 4 phases in security-focused configuration management 

While the NSA and CISA advisory provides advice on how to avoid the listed misconfigurations, NIST establishes a framework for security-focused configuration management that sets out a series of recommendations to help keep all systems and networks secure. This framework comprises four key phases which aim to ensure that configurations are correct, regardless of whether they are commonly used or not:  

1- Planning:

In the first phase of the framework, organizations must identify their assets, assess the risks to which they are exposed and develop a secure configuration strategy.

2- Identifying and implementing configurations:

In this phase, it is time to implement the security configurations developed in the previous phase.  

3- Controlling configuration changes:

During the change control phase, organizations must establish a formal process for approving changes to configurations. This requires testing all changes to security configurations before they are deployed and keeping a record of each change. 

4- Monitoring:

The last phase focuses on monitoring security configurations for unauthorized changes.   

Security-focused configuration management is clearly a challenge, but a unified platform for security can help address this through a centralized overview of active systems, which enables configuration risks to be identified and prioritized faster and more efficiently. Moreover, automating tasks such as configuration deployment, change control, and monitoring can reduce misconfigurations and improve efficiency. 

Hiring the support of an MSP can also prove useful, as thanks to their expertise in this area, they can create and implement a security strategy that deals with the risks of misconfigurations. 

If you want to learn more about the benefits of adopting a unified security approach to protect corporate networks, check out the following posts on our blog: