Article by Cybersecurity & Infrastructure Security Agency (CISA)
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom.
Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.
- Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.
- Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information. This is one of the most commonly found poor security practices.
- Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit.
- Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP.
- Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
- Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices:
- Limit the ability of a local administrator account to log in from a remote session (e.g., deny access to this computer from the network) and prevent access via an RDP session. Additionally, use dedicated administrative workstations for privileged user sessions to help limit exposure to all the threats associated with device or user compromise.
- Control who has access to your data and services. Give personnel access only to the data, rights, and systems they need to perform their job. This role-based access control, also known as the principle of least privilege, should apply to both accounts and physical access.
- Implement MFA. In particular, apply MFA on all VPN connections, external-facing services, and privileged accounts. Where MFA is not implemented, enforce a strong password policy.
- Change or disable vendor-supplied default usernames and passwords. Enforce the use of strong passwords.
- Set up monitoring to detect the use of compromised credentials on your systems. Implement controls to prevent the use of compromised or weak passwords on your network.
- Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
- Monitor antivirus scan results on a routine basis.
- Conduct vulnerability scanning to detect and address application vulnerabilities.
- Implement asset and patch management processes to keep software up to date. Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities.
Source: Cybersecurity & Infrastructure Security Agency