[BreachExchange] FBI and NSA say: Stop doing these 10 things that let the hackers in

[Matthew Wheeler]

https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.

CISA, the FBI and National Security Agency (NSA), as well as cybersecurity
authorities from Canada, New Zealand, the Netherlands, and the UK, have
compiled a list of the main weak security controls, poor configurations,
and poor security practices that defenders should implement to thwart
initial access. It also contains the authorities' collective recommended
mitigations.

"Cyber actors routinely exploit poor security configurations (either
misconfigured or left unsecured), weak controls, and other poor cyber
hygiene practices to gain initial access or as part of other tactics to
compromise a victim's system," CISA says.


The list of actions includes all obvious candidates, such as enabling
multi-factor authentication (MFA) on key systems, such as virtual private
networks (VPNs), but which are prone to misconfigurations when implemented
in complex IT environments.

For example, last year Russian hackers combined a default policy shared by
multiple MFA solutions and a Windows printer privilege of escalation flaw
to disable MFA for active domain accounts and then establish remote desktop
protocol (RDP) connections to Windows domain controllers. This complexity
can also be seen in the choice of, deployment and use of VPNs, whose
adoption escalated after the pandemic struck.

Recent research by Palo Alto Networks found that 99% of cloud services
utilize excessive permissions, against the well-known principle of least
privilege to limit opportunities for attackers to breach a system.

The security controls outlined in CISA's list serve as a useful checklist
for organizations, many of which deployed remote-working IT infrastructure
hastily due to the pandemic, and amid today's heightened geopolitical
tensions due to Russia's invasion of Ukraine. It also follows the EU
joining the US-Five Eyes in jointly blaming the Russian military on this
year's cyberattack against Viasat's European satellite broadband users.

As noted in the joint alert, attackers commonly exploit public-facing
applications, external remote services, and use phishing to obtain valid
credentials and exploit trusted relationships and valid accounts.

The joint alert recommends MFA is enforced for everyone, especially since
RDP is commonly used to deploy ransomware. "Do not exclude any user,
particularly administrators, from an MFA requirement," CISA notes.

Incorrectly applied privileges or permissions and errors in access control
lists can prevent the enforcement of access control rules and could give
unauthorized users or system processes access to objects.

Of course, make sure software is up to date. But also don't use
vendor-supplied default configurations or default usernames and passwords.
These might be 'user friendly' and help the vendor deliver faster
troubleshooting, but they're often publicly available 'secrets'. The NSA
strongly urges admins to remove vendor-supplied defaults in its network
infrastructure security guidance.

"Network devices are also often pre-configured with default administrator
usernames and passwords to simplify setup," CISA notes. "These default
credentials are not secure – they may be physically labeled on the device
or even readily available on the internet. Leaving these credentials
unchanged creates opportunities for malicious activity, including gaining
unauthorized access to information and installing malicious software."


CISA notes that remote services, such as VPNs, lack sufficient controls to
prevent unauthorized access. Defenders should add access control mechanisms
like MFA to reduce risks. Also, put the VPN behind a firewall, and use IDS
and IPS sensors to detect suspicious network activity.

Other key problems include: strong password policies are not implemented;
open ports and internet-exposed services that can be scanned via the
internet by attackers; failure to detect or block phishing using Microsoft
Word and Excel documents booby-trapped with malicious macros; and poor
endpoint detection and response.

CISA's recommendations include control access measures, implanting
credential hardening, establishing centralized log management, using
antivirus, employing detection tools and searching for vulnerabilities,
maintaining configuration management programs, and implementing patch
management.

CISA also recommends adopting a zero-trust security model, but this is
likely a long-term goal. US federal agencies have until 2024 to make
significant headway on this aim.

The full list of security 'don'ts' includes:

Multifactor authentication (MFA) is not enforced.

Incorrectly applied privileges or permissions and errors within access
control lists.

Software is not up to date.

Use of vendor-supplied default configurations or default login usernames
and passwords.

Remote services, such as VPNs, lack sufficient controls to prevent
unauthorized access.

Strong password policies are not implemented.

Cloud services are unprotected.

Open ports and misconfigured services are exposed to the internet.

Failure to detect or block phishing attempts.

Poor endpoint detection and response.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220518/0829d906/attachment.html>