Blog entry by Les Bell

Les Bell
Security News: 2023-10-09
by Les Bell - Monday, 9 October 2023, 8:40 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

NSA, CISA Highlight Common Security Misconfigurations

A new advisory released by the NSA and CISA highlights the most common cybersecurity misconfigurations identfied by the agencies during red team/blue team assessments conducted by their Hunt and Incident Response teams. The 10 most common network misconfigurations are:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

The advisory explains each category of misconfiguration, with examples, and maps them to the MITRE ATT&CK and D3FEND frameworks. Taking just the first category as an example - Default configurations - these are mainly default credentials and default service permissions and configurations settings:

A lot of software, and some devices, ship with predefined default credentials for privileged admin accounts. Threat actors routinely use simple searches [T1589.001] to find these and gain authenticated access [T1078.001] They may also reset these accounts [T1098] via predictable forgotten password questions. Other techniques include leveraging default VPN credentials to get internal network access [T1133], using well-known setup information to gain access to web applications and the databases behind them, and leveraging default credentials on software deployment tools [T1072] for code execution and lateral movement.

Many services have overly permissive access controls or vulnerable default configurations. In the Windows environment, these can includes Active Directory Certificate Services, insecure legacy protocols and services such as the NetBIOS name service, and the SMB protocol, which even today does not require network messages to be signed to assure authenticity and integrity. These services allow a variety of exploits, including Golden Ticket attacks and a variety of spoofing, poisoning and relay techniques - not to mention extraction of hashes, allowing a leisurely dictionary or rainbow tables attack.

The other categories are given similar treatment, with details of the typical vulnerabilities and the exploits they enable. The focus in this section is not so much on mitigation, as on work that should have been performed earlier, as systems are installed and deployed. For example, many of these misconfiguration problems should have been dealt with during a system hardening and automated audit process, for example, using SCAP (Security Content Automation Protocol), or even earlier, during system design and development.

There is one exception, however, and that is poor credential hygiene, which currently has to be dealt with via security education, training and awareness (remember, October is Cybersecurity Awareness Month so now is the time to get on top of this). In the long run, of course, the answer lies in the use of multi-factor authentication and cryptographic techniques which will hopefully see an end to passwords altogether (well, we can dream . . .).

Having said that, the advisory concludes with two long sets of tables of mitigations - one for defenders of production systems and networks, and one for software manufacturers. Think of this as a long 'to-do list' to be pinned to the wall; there's a good chance some of these tasks have been overlooked in your environment. The final section of the advisory is a list of references, which itself points to a lot of useful information.

CISA, NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, cybersecurity advisory AA23-278A, 5 October 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a. Direct PDF download at https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink