Errors in configuring IT infrastructure are a regular occurrence at large organizations \u2014 even given the most mature and competent IT and cybersecurity departments. This is evident from the weekly news of hacks on major, well-established companies, as well as the results of security audits \u2014 although these are rarely made public. The problem has also been acknowledged by U.S. regulators such as CISA and the NSA. In their new paper with recommendations prepared by both their \u201cred\u201d and \u201cblue\u201d teams after numerous audits and incident responses, they note that configuration errors highlight systemic weaknesses in large organizations \u2014 including companies with mature information security. However, the document asserts that network security teams can neutralize or mitigate these weaknesses with sufficient funding, training, and staffing. Let\u2019s take a look at the mistakes that experts consider the most dangerous.<\/p>\n
Any device or application \u2014 be it a printer, mail or file server, or video conferencing system \u2014 typically has a login mechanism with default access credentials that people can forget to disable. The default settings of these devices may be very simple (e.g., admin1234, or just 1234) and thus not very secure, but often no one changes them. A typical example is a printer that has privileged network access for easy printing, along with a web-based control panel with default login credentials. Another common occurrence is Windows servers with enabled older versions of SMB or other retro protocols. Default settings and templates of Active Directory Certificate Services are also very dangerous, allowing unprivileged users to get a server certificate, elevate privileges to administrative levels, or authenticate themselves by obtaining a Kerberos TGT<\/a>.<\/p>\n Recommended security measures:<\/strong><\/p>\n In any large network, you\u2019ll often find excessive privileges granted to regular users (originally assigned for some temporary purpose and then never revoked), extended privileges for service accounts (applications and services), and highest privileges for administrators (who often work in this privileged mode all the time). Attackers deliberately seek out and exploit these accounts, for they make it faster and easier to take over the network.<\/p>\n Recommended security measures:<\/strong><\/p>\n Many organizations only monitor traffic coming from external hosts and selected servers, while internal network monitoring is limited to endpoint events. This makes it difficult to detect attacks and investigate incidents in a timely manner.<\/p>\n Recommended security measures:<\/strong><\/p>\n Networks with different purposes and levels of importance often lack isolation from one another. Common issues include complete interconnection of networks containing classified and unclassified information, as well as IT and OT networks. In most cases, either segmentation is completely non-existent, or it\u2019s implemented but some engineers decide it\u2019s too inconvenient and create tunnels between networks at will (or even connect isolated networks to the internet). As a result, IT and information security department heads think that the networks are segmented when in fact they\u2019re not.<\/p>\n Recommended security measures:<\/strong><\/p>\n A systematic problem is the slow and incomplete application of patches and updates to hardware and software systems. The situation is exacerbated by the fact that many organizations, for various reasons, continue to operate hopelessly outdated systems<\/a> (such as Windows XP, SAP R\/3, and so on) that haven\u2019t received any updates in a long time.<\/p>\n Recommended security measures:<\/strong><\/p>\n Environment and application settings often allow attacks like \u201cpass-the-hash\u201d and \u201ckerberoasting\u201d to access target resources without knowing the password.<\/p>\n Recommended security measures:<\/strong><\/p>\n A common mistake is configuring access where authentication is performed only by a smart card, but hashes for long-unused passwords are still considered valid. If hash expiration policies are not configured, attackers can operate from old accounts using the techniques mentioned in point 6.<\/p>\n Another common issue is MFA methods vulnerable to phishing, such as SMS codes. Attackers can obtain codes through various means \u2014 from social engineering and MFA bombing to SS7 telecom network attacks<\/a> or illegitimate SIM card duplication.<\/p>\n Recommended security measures:<\/strong><\/p>\n In corporate networks, it\u2019s common to find network folders that can be accessed without authentication, or administrative repositories accessible to regular users. These often contain files with admin passwords or other sensitive information in plaintext.<\/p>\n Recommended security measures:<\/strong><\/p>\n Many organizations allow users to have short and simple passwords. As a result, up to 80% of employee passwords can be quickly cracked using tools like Hashcat.<\/p>\n Recommended security measures:<\/strong><\/p>\n Few organizations enable the \u201clist of allowed applications\u201d mode \u2014 where only approved applications can be run on company computers. Allowing the execution of untrusted files enables attackers to deploy various malware, escalate privileges using vulnerable drivers, and so on.<\/p>\n Recommended security measures:<\/strong><\/p>\n\n
2 Incorrect management of user and admin privileges<\/h2>\n
\n
3 Insufficient internal network monitoring<\/h2>\n
\n
4 Lack of network segmentation<\/h2>\n
\n
5 Poor patch management culture<\/h2>\n
\n
6 Possibility of bypassing access control<\/h2>\n
\n
7 Weak or misconfigured multi-factor authentication methods<\/h2>\n
\n
8 Insufficient restriction of access to network folders and services<\/h2>\n
\n
9 Poor quality passwords and password policies<\/h2>\n
\n
10 Lack of restrictions on code execution<\/h2>\n