Threat actors take advantage of unpatched software, unprotected cloud, and weak passwords. But these are just a few of many poor cybersecurity practices that might put you at risk.
“Malicious cyber actors don’t need to use zero-days to compromise your data—they just need to exploit poor security configs, weak controls & a range of bad cyber practices,” Jen Easterly, Head of CISA, Tweeted.
Cybersecurity authorities of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom released a joint advisory, identifying commonly exploited controls and practices. It also includes best practices to mitigate the issues.
“Let’s make it A LOT harder on them—check out this CSA to help reduce your risk,” Easterly said.
Threat actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.
The advisory lists ten common weak security controls, poor configurations, and dangerous security habits to employ the initial access techniques.
1. Not enforced multi-factor authentication (MFA). Remote Desktop Protocol (RDP) is one of the most common infection vectors for ransomware, and so MFA is a critical tool.
2. Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
3. Outdated software. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system.
4. Use of vendor-supplied default configurations or default login usernames and passwords. Software and hardware products come with overly permissive configurations to make products user-friendly. Default configurations may provide avenues for an attacker to exploit. Network devices also come with default credentials that are not secure - they may be physically labeled on the device or even readily available on the internet.
5. Threat actors also exploit remote services, such as virtual private networks (VPNs). Therefore, network defenders should add access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.
6. Malicious cyber actors exploit weak, leaked, or compromised passwords to gain unauthorized access to a victim system. The advisory urges to implement strong password policies.
7. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
8. Open ports and misconfigured services are exposed to the internet. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services.
9. Failure to detect or block phishing attempts. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails.
10. Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices.
Best practices to protect your system
- Control access
- Harden credentials
- Establish centralized log management
- Use antivirus solutions
- Employ detection tools
- Operate services exposed on internet-accessible hosts with secure configurations
- Keep software updated
More from Cybernews:
Subscribe to our newsletter