Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

From the FBI, CISA and NSA: Stop Doing These 10 Things Inviting a Data Breach

May 19, 2022

ZDNet reported on May 18 that CISA, the FBI and National Security Agency (NSA), as well as cybersecurity authorities from Canada, New Zealand, the Netherlands, and the UK have compiled a list of the primary weak security controls, poor configurations, and poor security practices that cybersecurity folks should use to prevent initial access.

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” CISA says.

Recent research by Palo Alto Networks found that 99% of cloud services utilize excessive permissions, against the well-known principle of least privilege to limit opportunities for attackers to breach a system.

Attackers often exploit public-facing applications, external remote services, and use phishing to obtain valid credentials and exploit trusted relationships and valid accounts.

The joint alert recommends MFA be enforced for everyone, especially since RDP is commonly used to deploy ransomware. “Do not exclude any user, particularly administrators, from an MFA requirement,” CISA notes.

Incorrectly applied privileges or permissions and errors in access control lists can prevent the enforcement of access control rules and could give unauthorized users or system processes access to objects.

We all know to ensure software is up to date. But also, don’t use vendor-supplied default configurations or default usernames and passwords. These might be ‘user friendly’ and help the vendor deliver faster troubleshooting, but they’re often publicly available ‘secrets’. The NSA strongly urges admins to remove vendor-supplied defaults in its network infrastructure security guidance.

“Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup,” CISA notes. “These default credentials are not secure – they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software.”

CISA notes that remote services, such as VPNs, lack sufficient controls to prevent unauthorized access. Defenders should add access control mechanisms like MFA to lessen risks. Also, put the VPN behind a firewall, and use IDS and IPS sensors to detect suspicious network activity.

Other key problems include: Strong password policies are not implemented; open ports and internet-exposed services that can be scanned via the internet by attackers; failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros; and poor endpoint detection and response.

CISA’s recommendations include control access measures, implanting credential hardening, establishing centralized log management, using antivirus, employing detection tools and searching for vulnerabilities, maintaining configuration management programs, and implementing patch management.

CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant progress on this goal.

A quick list of security “do not do this” include:

  • Multifactor authentication (MFA) is not enforced.
  • Incorrectly applied privileges or permissions and errors within access control lists.
  • Software is not up to date.
  • Use of vendor-supplied default configurations or default login usernames and passwords.
  • Remote services, such as VPNs, lack sufficient controls to prevent unauthorized access.
  • Strong password policies are not implemented.
  • Cloud services are unprotected.
  • Open ports and misconfigured services are exposed to the internet.
  • Failure to detect or block phishing attempts.
  • Poor endpoint detection and response.

Hyperlinks are provided for all these bullet points with more detailed information in the article.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology