CISA Issues Alert on Weak Security Control Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory identifying commonly exploited controls and practices and included best practices to mitigate top cybersecurity issues. 

The advisory, co-authored by cybersecurity authorities in Canada, New Zealand, the Netherlands and the United Kingdom as well as the U.S., said organizations are still facing threats from actors exploiting poorly protected IT systems.

Among the most common weak controls, poor configurations and poor security practices are out-of-date software, incorrectly applied privileges or permissions and errors within access control lists and use of vendor-supplied default configurations or default login usernames and passwords.

Organizations are also failing to enforce multifactor authentication (MFA), a critical tool in mitigating malicious cybersecurity activity. 

The CISA advisory also noted remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access, pointed out the lack of implementation of strong password policies and highlighted poor endpoint detection and response.

“Do not exclude any user, particularly administrators, from an MFA requirement,” the CISA advisory warned. “In particular, apply MFA on all VPN connections, external-facing services and privileged accounts.”

CISA Advisory Finds Persistent Weakness

Zane Bond, director of product management at Keeper Security, a provider of zero-trust cybersecurity software, said that in large organizations, the persistent weakness of some IT security points has to do with companies focusing so heavily on expensive, advanced security defenses that they neglect the basics—password security, access control and MFA.

“Meanwhile, small and medium-sized organizations often think robust cybersecurity defenses are out of their reach from financial and human resources perspectives,” he said. “A robust password security platform, which comes with access controls and support for multifactor authentication, is one of the least expensive products in a company’s tech stack.”

He added it also doesn’t require advanced IT or security knowledge to deploy or maintain.

Bond explained for starters, companies should be implementing a zero-trust network access environment, complete with least-privilege access, role-based access controls and MFA, all enforced with an enterprise password security platform.

Another step would be to deploy a secrets management solution to secure infrastructure secrets like SSH keys, API keys, TLS/SSL certificates and RDP credentials.

He also recommended organizations deploy a zero-trust remote desktop gateway for IT and DevOps teams to securely access infrastructure, such as RDP, SSH, databases and Kubernetes endpoints.

Zero-Trust is the Only Option

“The shift to remote work made zero-trust network access even more important than it was pre-COVID,” he added. “Not only do companies have vendors and business partners connecting to resources remotely, but they also have significant numbers of employees doing so.”

He pointed out that in some cases, entire companies are working remotely now, which, from his perspective, means zero-trust security is the only realistic option to securing all those remote connections.

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, noted that missed patches, weak authentication and poor configurations have been exploited for years and many organizations are well behind the curve when it comes to cybersecurity.

“The reality is that keeping an organization safe from cyberattack takes a lot of time and effort, and it can be hard to catch up when they’ve gotten behind,” he said.

Parkin explained there are several reasons we’re still seeing a lot of cybersecurity incidents, ranging from organizations that haven’t kept up with industry best practices, to increasingly sophisticated attackers that have improved their tools and techniques to compensate for the latest generation of defensive tools.

As for preventing the ‘simple attacks,’ Parkin said they are still common because many organizations lack the resources, technical or otherwise, to bring their environments up to a best practices baseline.

He added there are several obvious targets for improving security, the first of which is making sure configurations are following best practices for the given application and restricting outside access as much as possible.

“The second is to implement MFA—while there is some effort involved, MFA is one of the most effective ways to reduce the risk of user credential theft,” he said. “Third, implement a patch management program that gets the environment up-to-date.”

The CISA advisory also recommended implementing an asset and patch management processes to keep software up to date.

Organizations can identify and mitigate unsupported, end-of-life and unpatched software and firmware by performing vulnerability scanning and patching activities.

Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM) solutions agreed that MFA should be used anywhere and everywhere possible, as it is the best “next step” way to authenticate identities beyond simply using a username and password.

“Strong password management, privileged access security and MFA will make it difficult for attackers to be successful at gaining an initial foothold,” he said. “This will likely force them to look for an easier target elsewhere.”

Carson added the most common mistake with MFA is that it is being used in addition to existing security controls as another step, rather than making it easier and removing existing, poor authentication practices.

“It is simply added on to existing security controls,” he said. “It is important to make authentication easier and make the experience positive where possible, otherwise users will find ways around the security control making them much weaker.”  

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 242 posts and counting.See all posts by nathan-eddy