Retaining default configurations of software and applications is the most common of 10 security risks highlighted by the US National Security Agency (NSA) and Infrastructure Security Agency (ISA).
The two agencies have issued a joint cybersecurity advisory (CSA) in which the 10 most common network misconfigurations are listed. That list is:
- Default configurations of software and applications.
- Improper separation of user/administrator privilege.
- Insufficient internal network monitoring.
- Lack of network segmentation.
- Poor patch management.
- Bypass of system access controls.
- Weak or misconfigured multifactor authentication (MFA) methods.
- Insufficient access control lists (ACLs) on network shares and services.
- Poor credential hygiene.
- Unrestricted code execution.
The report concludes that the list illustrates a trend of “systemic weakness in many large organizations”. It also says that the findings underline “the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders.”
And it carries a recommendation to those responsible for defending corporate networks to implement a number of mitigatory measures. These are:
- Remove default credentials and harden configurations.
- Disable unused services and implement access controls.
- Update regularly and automate patching, prioritizing patching of known exploited vulnerabilities.
- Reduce, restrict, audit, and monitor administrative accounts and privileges.
The secure-by-design and-default tactics the report advises software mannufacturers to adopt include:
- Embedding security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC).
- Eliminating default passwords.
- Providing high-quality audit logs to customers at no extra charge.
- Mandating MFA, ideally phishing-resistant, for privileged users and making MFA a default rather than opt-in feature.