In todays heightened threat environment where cyber attackers frequently exploit unpatched software vulnerabilities, and “routinely” target security misconfigurations for initial access, it is so important for businesses and organisations to defend themselves against the onslaught of hackers. And that’s why the US Cybersecurity and Infrastructure Security Agency (CISA) and its peers have created a to-do list for us defend ourselves.

So, joining together to help us defend ourselves against the threat of cyber invasion, and create the to-do list is the CISA, the FBI, NSA (National Security Agency) as well as cybersecurity experts from Canada, New Zealand, the Netherlands, and the UK. As leaders in the field of cybersecurity from around the globe their list contained the recommendations required to thwart a hacker’s initial access. In other words, this list outlines what defenders need to implement to tackle their weak security controls, poor configurations, and poor security practices.

CISA says that “cyber actors” are renowned for taking advantage of loopholes in “poor security configurations (left unsecured or misconfigured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.”

Certainly, the list includes some of the main security practices such as enabling multi-factor authentication (MFA) on key systems, like virtual private networks (VPNs). Most importantly, they note that in a complex IT environments implementations are prone to misconfigurations.

For instance, Russian hackers were able to disable MFA for active domain accounts and then establish remote desktop protocol (RDP) connections to Windows domain controllers by combining a default policy shared by multiple MFA solutions and a Windows printer privilege of escalation flaw. Furthermore this complexity can also be seen in the choice of, deployment and use of VPNs, whose adoption escalated after the pandemic struck.  

Secondly, to limit the opportunity of attackers to breach a system there is a well-known principle of least privilege. But in a recent study done by Palo Alto Networks, it found that 99% of cloud services went against the recommendation and give excessive permissions. In other words, leaving the cloud service vulnerable to hackers.

In today’s climate with more remote workers and the Russia’s invasion of Ukraine which has created world-wide cybersecurity issues, it is even more important businesses are protected. In other words, the security controls mentioned in the checklist are useful for organisations for this very reason.

It also follows the EU joining the US-Five Eyes in jointly blaming the Russian military on this year’s cyberattack against Viasat’s European satellite broadband users.   

That’s to say that attackers generally and as noted earlier, exploit

  • public-facing applications
  • external remote services
  • use phishing, as a way to:

  1. obtain valid credentials
  2. exploit trusted relationships and valid accounts

So, the joint co-operative has some recommendations to thwart these attempts to exploit businesses and help defenders. Firstly, they suggest MFA for all your accounts. Mainly because to deploy ransomware attackers commonly use RDP. The CISA warns “not to exclude any user, particularly administrators, from an MFA requirement.

Secondly, access controls can prevent the unauthorised use of systems processes to access objects or systems. In other words, management of who has admin access is important. Incorrectly or widespread privileges or permissions and errors in access control list can spell trouble.

Most importantly, remove any default usernames and passwords that a vendor supplies and default configuration. Typically, they make it easier for the vendor to troubleshoot but leave your organisation wide open. These default configurations, usernames and passwords are publicly available “secrets” As a result,  in their network infrastructure security guidance, the NSA strongly urges admins to remove vendor-supplied defaults.

CISA notes that, “Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. But these “default credentials are not secure.” Because these credentials maybe readily available on the internet or even physically labelled on the device. If businesses and organisations don’t change these credentials and leave them unchanged it creates opportunity for malicious activity, including

  • gaining unauthorized access to information
  • and installing malicious software

CISA has a list of controls to tackle and prevent unauthorized access to remote services like VPNs that lack controls. These include:

  • The first control is MFA which reduces the risks.
  • The second control is to put the VPN behind a Firewall and use IDS and IPS sensors to detect suspicious network activity. 

CISA has also listed other key problem areas which include:

  1. strong password policies are not implemented.
  2. open ports and internet-exposed services that can be scanned via the internet by attackers
  3. failure to detect or block phishing using Microsoft Word and Excel documents booby-trapped with malicious macros
  4. and poor endpoint detection and response. 

CISA’s recommendations include

  1. control access measures,
  2. implanting credential hardening,
  3. establishing centralized log management,
  4. using antivirus, employing detection tools and searching for vulnerabilities,
  5. maintaining configuration management programs,
  6. and implementing patch management. 

CISA also recommends adopting a zero-trust security model, but this is likely a long-term goal. US federal agencies have until 2024 to make significant headway on this aim.  

Ensure you can defend yourself against an attack

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?