The Cybersecurity and Infrastructure Security Agency (CISA) on May 17 issued a new advisory highlighting how cyber threat-actors are exploiting poor security configurations.
CISA said the poor security configurations include security misconfigurations or network elements that are left unsecured entirely. In addition to poor configurations, CISA noted that threat actors exploit weak controls and “other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.”
The advisory identifies exploited controls, along with best practices to mitigate these issues.
Among the mitigations CISA listed:
- Adopting a zero-trust architecture;
- Limiting the ability of a local administrator account;
- Controlling who has data and service access;
- Hardening conditional access policies; and
- Verifying that all machines – including cloud-based machines – do not have open RDP ports.
Further, CISA suggests implementing credential hardening through multifactor authentication, as well as establishing centralized log management to ensure applications and systems generate sufficient log information.
Also in the advisory, CISA suggests employing detection tools and search for vulnerabilities, maintaining rigorous configuration management programs, and employing antivirus programs.
“During recent years, malicious threat actors have been observed targeting remote services,” the advisory notes. “Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.”
The alert was issued as a joint advisory coauthored by cyber authorities in the United States, Canada, New Zealand, the Netherlands, and the United Kingdom.