CISA reveals 'Admin123' as top security threat in cyber sloppiness chart

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) are blaming unchanged default credentials as the prime security misconfiguration that leads to cyberattacks.

Sticking with default credentials in software, systems, and applications topped the agencies' top ten major cybersecurity misconfigurations, based on data pulled from their red and blue team exercises.

The cybersecurity advisory (CSA) released this week aims to encourage software manufacturers to adopt secure-by-design and secure-by-default principles throughout the development cycle.

The misconfigurations in the CSA illustrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and highlights the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders.

Occupying the other top-three spots in the list are "improper separation of user and admin privileges" at second, and at third "insufficient network monitoring."

IT admins are too often assigning multiple roles to one account, the CSA says. It's an issue for multiple reasons, but perhaps most important, it prevents network monitoring tools from identifying suspicious account activity.

If a low-level employee's account is granted permissions that are unnecessarily great, it means they can access an area of the network reserved only for a finite number of users, usually because those areas are home to sensitive data.

If that account becomes compromised and controlled by attackers, as in a phishing attack for example, then malicious activity becomes nigh-on impossible to spot because network monitoring sees it as a privileged account accessing part of the network it's allowed to – so no issue.

This so-called "privilege creep" can occur in expanding organizations with repeated changes in account management, personnel, and access requirements, the CSA says.

"Through the analysis of topical and nested AD groups, a malicious actor can find a user account that has been granted account privileges that exceed their need-to-know or least-privilege function.

"Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain."

On the topic of network monitoring, insufficient configuration of these tools is also deemed a serious risk to security, especially when host and network sensors aren't properly set up for traffic collection and end-host logging.

In one exercise, the agencies observed an organization with host-based monitoring configured correctly but lacked network monitoring entirely.

Organizations can benefit from host-based monitoring's ability to flag potentially malicious activity on a single host, but network monitoring alerts to suspicious activity that moves laterally across the network.

The organization in question could spot the infected hosts but couldn't see where it was coming from or stop additional infections.

The full list [PDF]:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation 
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods 
8. Insufficient access control lists (ACLs) on network shares and services 
9. Poor credential hygiene 
10. Unrestricted code execution 

US stays staunch on security by design

Adopting security-by-design and security-by-default approaches has been one of the clearest and most-communicated goals of the US government of recent years.

The topic is routinely at the forefront of cybersecurity-related policy and is often pushed as an idea through blog posts and advisories.

• CISA barred from coordinating with social media sites to police misinformation
• CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog
• Ukraine accuses Russian spies of hunting for war-crime info on its servers
• Feds raise alarm over Snatch ransomware as extortion crew brags of Veterans Affairs hit

The security agencies of countries in the Five Eyes intelligence alliance, of which the US is a member, along with those from Germany and the Netherlands, jointly published guidance [PDF] on the matter earlier this year. 

It marked the countries' serious intent to encourage technology manufacturers to stop shipping products with known exploitable vulnerabilities, something the US has tried to enshrine into its own law.

The National Defense Authorization Act for fiscal 2023 has passed the House of Representatives but is yet to be formally approved as a law in the US.

The bill, which if left unchanged would prohibit the Department of Homeland Security (DHS) from buying software with any known vulnerabilities in it at all, caused quite a stir last year when it was proposed, dividing the opinions of leading infosec experts working in the field.

Some experts speaking at the time criticized the bill for being overly restrictive, and that not all vulnerabilities are serious or require mitigation, and some said it would put the DHS in an impossible position from a purchasing perspective. 

Others pointed out the bill isn't as restrictive as many originally thought; the DHS could buy software with known vulnerabilities, as long as effective mitigations were available.

Questionable legislation aside, mentions of security-by-design were littered throughout the US's National Cybersecurity Strategy, which was announced in March this year.

It was also top of the agenda in the Biden-⁠Harris administration's first implementation plan for said strategy, published in July.

In it, CISA was tasked with fostering better relationships between the public and private sectors, academia and the open source software community, to further drive the uptake of secure-by-design principles in software and hardware at a national level.

Indeed, security-by-design is showing no signs of disappearing from the US government's list of priorities, but whether the wider industry adopts the practice remains unanswered.

"Ensuring software is secure by design will help keep every organization and every American more secure," said CISA, announcing the CSA.

"We know that neither the government nor industry can solve this problem alone, we must work together. We continue to call on every software company to commit to secure-by-design principles and take that critical next step of publishing a roadmap that lays out their plan to create products that are secure by design 'out of the box'." ®