Common Cybersecurity Misconfigurations in Networks

Threat actors often target common cybersecurity misconfigurations in the networks of large organisations to gain unauthorised access, move laterally within the network and carry out various forms of cyberattacks. Addressing these common misconfigurations through proactive security measures, regular assessments, and ongoing monitoring is essential for improving network security in large organisations.

This advisory describes the most common types of network misconfigurations and provides recommended mitigation measures for organisations to implement in order to improve their security posture and enhance overall cybersecurity.

The following are some of the common types of misconfigurations and mitigation measures which organisations may consider adopting:

 1. Weak Credential Management Practices and Improperly Configured Multi-Factor Authentication (MFA) Methods

Weak credential management policies and MFA methods which are improperly configured could allow threat actors to gain access to credentials and potentially use them to gain unauthorised access to other assets.

• Weak Password Policies

Weak password policies have serious implications for organisations. Weak password policies such as not implementing complexity requirements or not mandating regular password changes can allow threat actors to guess the passwords easily.

• Cleartext Password Disclosure

Administrators who store passwords in cleartext are vulnerable to cyber attacks. Threat actors look for documents that contain these cleartext passwords that could allow them to gain escalated privileges.

• Inadequate Use of Phishing-Resistant MFA

There are some MFA methods that are vulnerable to phishing attacks. Threat actors can masquerade as legitimate sources and perform phishing attacks to obtain authentication credentials gain unauthorised access to the systems.

• Improper Configuration of Smart Cards/Tokens

Administrators may misconfigure multi-factor requirements such that the password hashes for the accounts always remain the same when smart cards or tokens are used. Threat actors can take advantage of this situation and use the password hash permanently.

To address weak credential management and MFA issues, organisations are advised to adopt and enforce MFA, especially MFA methods that are phishing resistant. For more information on using secure MFA methods, please refer to our advisory here.

Additionally, organisations should also use strong passwords that include at least 12 characters comprising uppercase and lowercase letters, numbers, and special characters. To help employees remember their passwords, organisations should encourage them to use passphrases by putting together a sentence or combination of words based on a memory unique to them. You can find out the strength of your password  here.

 2. Default Settings in Software and Applications

Threat actors may gain unauthorised through the use of default settings in software and applications. Common default settings, such as default credentials and configuration settings are typically well-known and widely documented, making them vulnerable to exploitation by threat actors. Active Directory Certificate Services (ADCS) is a feature within Active Directory (AD) environments for managing Public Key Infrastructure (PKI) certificates and encryption. ADCS templates create certificates for various network entities, but misconfigurations can allow threat actors to obtain fraudulent certificates and potentially gain unauthorised access, impersonate legitimate entities, and bypass security measures, potentially leading to data breaches and domain privilege escalation. To reduce the risk of unauthorised access of software and applications due to default settings in software and applications, organisations are advised to mandate the changing of default credentials and strengthening configurations.

 3. Misconfigured Security Appliances

Improperly configured security appliances such as the absence of firewall rules or poorly defined rulesets, can allow unauthorised traffic to pass through the system. Threat actors can capitalise on this by attempting to exploit firewall rules or find openings in firewall configurations. Additionally, organisations may neglect to configure host and network sensors adequately for traffic collection and end-host logging. The absence of monitoring and alerting can allow threat actors to operate undetected and carry out malicious activities such as data theft or distribution of malware within the network for extended periods. Organisations are advised to regularly review and adjust settings and deploy comprehensive monitoring and alerting systems to detect and respond to suspicious activities within the network effectively. Organisations are also advised to conduct regular penetration testing to uncover misconfigurations that could be exploited by threat actors.

 4. Open Ports and Unnecessary Services

Unnecessary open ports and services running on servers and devices increase the attack surface. Threat actors can exploit this by scanning for open ports and services to identify potential vulnerabilities. Once they identify these open ports and services, they can attempt to gain unauthorised access, launch attacks, or exploit known vulnerabilities associated with these services. To prevent threat actors from exploiting open ports and unnecessary services, organisations are advised to deactivate unused services and enforce access controls.

 5. Insecure Remote Access

Weak remote access controls, such as open Remote Desktop Protocol (RDP) ports and unsecured Virtual Private Network (VPN) configurations and vulnerable remote desktop services accessible over the Internet can be exploited by threat actors to gain unauthorised access to a network or system. Threat actors can escalate privileges, move laterally within the network, exfiltrate data, or deploy malicious payloads upon gaining access. To ensure secure remote access, organisations are advised to implement strong authentication, apply regular updates, and enforce access controls and monitoring for suspicious activities.

 6. Insecure Internet of Things (IoT) Devices

IoT devices connected to the network are potential entry points for threat actors if they are not configured securely. They can target vulnerable IoT devices by exploiting weak or default credentials, unpatched vulnerabilities, or insecure communication protocols. Once compromised, these devices can be harnessed for various malicious purposes, such as launching Distributed Denial -of-Service (DDoS) attacks, infiltrating home or corporate networks, or acting as entry points for further attacks. Organisations are advised to mandate the usage of strong passwords, update the firmware regularly, and segment IoT devices from critical networks to enhance security of IoT devices.

 7. Misconfigured Cloud Services

Insecure cloud configurations can result in data breaches, financial losses, and service disruptions. Threat actors can exploit such misconfigurations by scanning for publicly accessible cloud assets and services and looking for weaknesses in configurations like unsecured storage buckets or improperly configured access controls. Once identified, threat actors can gain unauthorised access to sensitive data, manipulate cloud resources, or even deploy malicious software within the cloud environment. Organisations are advised to regularly audit and enhance security configurations, enforce strict access controls, and monitor cloud assets for vulnerabilities to secure their cloud services.

 8. Unrestricted Code Execution

Threat actors can execute arbitrary code and run malicious payloads on the hosts after gaining initial access to the system if unverified executables are allowed to run. Threat actors may initially make use of social engineering to obtain sensitive credentials from victims, following which, executables, macros, or Dynamic Link Libraries (DLLs) are run once they are in the network. Threat actors also often utilise scripting languages to conceal their actions and bypass allowlisting. To avoid unrestricted code execution, organisations are advised to configure their system settings such that the system is unable to run applications downloaded from untrusted sources.

 9. Inadequate Patch Management

Poor cyber hygiene practices and inadequate patch management, such as the failure to patch regularly, as well as using outdated firmware, unsupported End-of-Life (EOL) software or Operating Systems (OSs), allow threat actors to exploit vulnerabilities and gain access into the systems:

• Failure to Patch Regularly

Threat actors can easily discover unpatched and vulnerable systems through vulnerability scanning and exploit the vulnerabilities to gain access to the systems.

• Usage of Outdated Firmware/Unsupported EOL Software or OSs

EOL software and OSs are no longer supported by the vendor, and do not receive the necessary and relevant patches for new and existing vulnerabilities, thus posing serious security risks. Threat actors can exploit such vulnerabilities to gain access to the systems and disrupt operations.

To ensure adequate patch management, organisations are advised to update their software regularly and prioritise patches for known vulnerabilities exploited by threat actors. Organisations are also advised to evaluate the use of unsupported or outdated software and cease using them as soon as possible to prevent threat actors from exploiting them to gain access into their network.

 10. Insufficient Access Control Lists (ACLs) on Network Shares and Services

Administrators may misconfigure ACLs to allow unauthorised users to access sensitive data. Some common misconfigurations of ACLs include underly or overly permissive rules and inconsistent rules. In addition, administrators may not audit the rules often which could lead to expired rules exposing them to security risks. Threat actors can collect and exfiltrate these data and perform further attacks. They can often find sensitive data and Personal Identifiable Information (PII) on the shared drives that could be used for extortion or social engineering. To limit unauthorised access and enhance data security, organisations are advised to apply the principle of least privilege (PoLP) to manage resources containing important information and enforce strict role-based access controls (RBAC), while segregating administrative privileges. They can also automate a process or leverage automated tools and solutions to verify effectiveness of the configurations and settings in all environments.

 11. Circumvention of System Access Controls

Threat actors can circumvent system access controls by compromising various authentication methods within a system. If they can retrieve hashes within a network, they can use these hashes to authenticate themselves using non-standard means such as Pass-the-Hash (PtH). By impersonating accounts without the cleartext passwords, threat actors can expand their access while evading detection. Organisations are advised to limit credential overlap within a network to minimise credential compromise and reduce the ability of threat actors to move laterally between systems.

 12. Absence of Network Segmentation

The absence of network segmentation removes boundaries between user, production, and critical system networks, which enable threat actors to move freely across systems and expose organisations to increased risks of ransomware attacks and post-exploitation techniques. Furthermore, a lack of segregation between IT and Operational Technology (OT) environments can jeopardise OT systems, even when they are believed to be entirely isolated, due to overlooked or unintentional connection to the Internet. Organisations are advised to implement proper segmentation to create security zones, reduce lateral movement for threat actors and enhance network security. Additionally, they can also reduce, audit, and monitor administrative accounts, applications and services, and their associated privileges.

 13. Unencrypted Data in Transit and at Rest

Transmitting sensitive data without encryption over the network and failure to encrypt data at rest in storage devices leave the data vulnerable to theft or compromise. Threat actors can intercept or eavesdrop and gain access to unencrypted data to steal valuable information, compromise user accounts, manipulate data, or carry out various cyberattacks, causing substantial harm to organisations and individuals. To prevent eavesdropping and interception of data, organisations are advised to apply encryption for data both in transit and at rest, using strong encryption protocols and securing data storage to protect against unauthorised access.

References:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-137a
https://www.bleepingcomputer.com/news/security/nsa-and-cisa-reveal-top-10-cybersecurity-misconfigurations/
https://venafi.com/blog/top-10-vulnerabilities-make-iot-devices-insecure/