US cybersecurity agencies, CISA and the NSA, have rolled out new insights, spotlighting the most recurrent cybersecurity vulnerabilities plaguing sizable corporations.
Affecting a broad spectrum of firms, even those priding themselves on robust security foundations, these vulnerabilities signal pervasive systemic challenges. The necessity of imbibing secure-by-design principles right from the inception of software development has never been clearer, both CISA and NSA elucidate.
Enumerating the vulnerabilities, the duo highlights:
- Preset software settings
- Overlapping user access rights
- Absence of distinct network zones
- Subpar network oversight
- Delayed software updates
- Overridden access safeguards
- Slack password protocols
- Inconsistent multi-factor authentication procedures
- Limited access control specifications on network directories
- Open-ended code operations
Rooted in comprehensive evaluations spanning several years, these insights emerge from a scrutiny of over 1,200 network systems spanning the Department of Defense (DoD), various federal institutions, and key US governmental agencies.
Although a substantial chunk of these evaluations centered around Windows and Active Directory platforms, the remedies outlined cater to these ecosystems. However, it's pertinent to note that diverse software environments might harbor comparable vulnerabilities, caution both agencies.
By ardently embracing secure-by-design protocols and diminishing these ingrained vulnerabilities, software engineers can significantly alleviate the challenges encountered by network safeguarding teams.
Additionally, CISA and the NSA underline that, equipped with apt training and resources, cybersecurity teams are empowered to counter these challenges. This encompasses eliminating default user settings, fortifying security norms, deactivating redundant services, and enforcing robust access and update measures, among other protocols.
Security-First Mandates for the IT industry, as proposed by the US agencies, involve intertwining security measures throughout the software creation journey, eliminating preset passwords, providing transparent user activity logs, and mandating phishing-immune MFA.
The security strategies endorsed by CISA and the NSA resonate with the previously published Cross-Sector Cybersecurity Performance Goals (CPGs) and the security-first principles propagated recently.
Furthermore, the duo champions enterprises to rigorously vet their cybersecurity strategies against established threat paradigms, notably the MITRE ATT&CK framework, and to evaluate their security mechanisms against these established benchmarks.
"Such vulnerabilities, unfortunately, are all too familiar in our reviews. The modus operandi cited are routinely harnessed by myriad threat elements, culminating in myriad genuine security breaches. Glean insights from others' oversights and rigorously apply preventive measures to shield your networks, safeguarding confidential data and mission-critical operations," advise CISA and the NSA.