The US Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have revealed a worrying number of seemingly obvious cybersecurity rules aren't being followed by many business.
The organizations recently ran a red-and-blue-team exercise to identify the biggest security mistakes businesses are making these days, with the usage of default credentials in software, systems, and applications the number one mistake leading up to cyberattacks.
Many of the tools and services that businesses buy for their operations come with pre-installed login credentials. These factory settings are meant to be used only during initial setup and should be replaced with stronger, unique credentials, as soon as possible. However, many IT teams ignore this step, leaving their endpoints with credentials known to hackers and other threat actors.
Secure-by-design
Besides default login settings, other major mistakes include “improper separation of user and admin privileges” and “insufficient network monitoring”. In other words, IT teams often give low-level accounts admin privileges for no apparent reason, and when those accounts get compromised, it makes it almost impossible for IT teams to identify a malicious entity on their premises.
"Through the analysis of topical and nested AD groups, a malicious actor can find a user account that has been granted account privileges that exceed their need-to-know or least-privilege function,” the advisory reads. "Extraneous access can lead to easy avenues for unauthorized access to data and resources and escalation of privileges in the targeted domain."
As for network monitoring, there are many ways in which organizations are dropping the ball here, including failing to properly set up various sensors to collect traffic and end-host logs, it was said.
Furthermore, CISA and the NSA seem to be shifting part of the “blame” to the developers building out these products, pushing for the manufacturers to adopt secure-by-design and secure-by-default principles in the development cycle.
"Ensuring software is secure by design will help keep every organization and every American more secure," CISA said in its announcement of the advisory. "We know that neither the government nor industry can solve this problem alone, we must work together. We continue to call on every software company to commit to secure-by-design principles and take that critical next step of publishing a roadmap that lays out their plan to create products that are secure by design 'out of the box'."