NSC, CISA Highlight Top Cyber Misconfigurations

NSC, CISA Highlight Top Cyber Misconfigurations

Damaging cyber intrusions are far too common, causing harm to public and private organizations across every sector. While some of these intrusions use novel methods to gain access or move across a network, many exploit common misconfigurations. By ensuring strong configurations, we can significantly reduce the prevalence and impact of cyber-attacks.

Over the past several years, red and blue team operators at CISA and NSA have assessed organizations to identify how a malicious actor could gain access, move laterally, and target sensitive systems or information. These assessments have shown how common misconfigurations, such as default credentials, service permissions, and configurations of software and applications; improper separation of user/administration privilege; insufficient internal network monitoring; poor patch management, place every American at risk.

Today’s report, “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations,” provides clear guidance to drive down these misconfigurations. While enterprises can and must take steps to identify and address these misconfigurations, we know that scalable progress requires urgent action by software manufacturers, particularly by adopting Secure by Design practices where software is designed securely from inception to end-of-life and by taking ownership to improve security outcomes of their customers.

Every software manufacturer should urgently adopt the practices below to reduce the prevalence of common misconfigurations by design and every customer should demand adoption of these practices by every vendor.

  • Embed security controls into product architecture from the start of development and throughout the entire software development lifecycle (SDLC) by demonstrating adoption of the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF).
  • Eliminate default passwords.
  • Design products so that the compromise of a single security control does not result in compromise of the entire system.
  • Provide high-quality audit logs to customers at no extra charge.
  • Take steps to eliminate entire classes of vulnerabilities, such as by using memory-safe coding languages and implementing parameterized queries.
  • Provide sufficient detail in audit records to detect bypass of system controls and queries to monitor audit logs for traces of such suspicious activity.
  • Mandating multifactor authentication (MFA) for privileged users and making MFA a default rather than opt-in feature for all users.
  • The misconfigurations described in the advisory are too commonly found in assessments, hunts and incident response conducted by our teams and the TTPs are standard methods used by multiple cyber actors that have led to numerous compromises.

Last week, CISA announced a new national campaign, Secure Our World, and one of the key elements is for technology providers (i.e., software manufacturers) to secure their products – protecting customers by making products secure by design. Technology providers know that individual and business consumers use the products they create every day. These products and systems are under constant attack by threat actors seeking to disrupt our way of life and steal data.

As America’s Cyber Defense Agency, CISA is charged with safeguarding our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. Ensuring software is secure by design will help keep every organization and every American more secure.

We know that neither the government nor industry can solve this problem alone, we must work together. We continue to call on every software company to commit to secure by design principles and take that critical next step of publishing a roadmap that lays out their plan to create products that are secure by design “out of the box”.

Featured

  • Survey: 60 Percent of Organizations Using AI in IT Infrastructure

    Netwrix, a cybersecurity provider focused on data and identity threats, today announced the release of its annual global 2025 Cybersecurity Trends Report based on a global survey of 2,150 IT and security professionals from 121 countries. It reveals that 60% of organizations are already using artificial intelligence (AI) in their IT infrastructure and 30% are considering implementing AI. Read Now

  • New Research Reveals Global Video Surveillance Industry Perspectives on AI

    Axis Communications, the global industry leader in video surveillance, has released its latest research report, ‘The State of AI in Video Surveillance,’ which explores global industry perspectives on the use of AI in the security industry and beyond. The report reveals current attitudes on AI technologies thanks to in-depth interviews with AI experts from Axis’ global network and a comprehensive survey of more than 5,800 respondents, including distributors, channel partners, and end customers across 68 countries. The resulting insights cover AI integration and the opportunities and challenges that exist with regard to security, safety, business intelligence, and operational efficiency. Read Now

  • SIA Urges Tariff Relief for Security Industry Products

    Today, the Security Industry Association has sent a letter to U.S. Trade Representative Jamieson Greer and U.S. Secretary of Commerce Howard Lutnick requesting relief from tariffs for security industry products and asking that the Trump administration formulate a process that allows companies to apply for product-specific exemptions. The security industry is an important segment of the U.S. economy, contributing over $430 billion in total economic impact and supporting over 2.1 million jobs. Read Now

  • Report Shows Cybercriminals Continue Pivot to Stealthier Tactics

    IBM recently released the 2025 X-Force Threat Intelligence Index highlighting that cybercriminals continued to pivot to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined. IBM X-Force observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. Read Now

  • 2025 Security LeadHER Conference Program Announced

    ASIS International and the Security Industry Association (SIA) – the leading membership associations for the security industry – have announced details for the 2025 Security LeadHER conference, a special event dedicated to advancing, connecting and empowering women in the security profession. The third annual Security LeadHER conference will be held Monday, June 9 – Tuesday, June 10, 2025, at the Detroit Marriott Renaissance Center in Detroit, Michigan. This carefully crafted program represents a comprehensive professional development opportunity for women in security this year. To view the full lineup at this year’s event, please visit securityleadher.org. Read Now

    • Industry Events

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.