The Security Table
The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!
The Security Table
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points.
The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage.
The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.
Helpful Links:
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Hey folks, welcome to another episode of the security table. This is an abridged episode because we're going to talk really fast about something and have kind of a shorter episode here. Joined by Izar and Matt and myself, Chris Romeo, we're always around the security table and we're going to jump right in. So I am looking at this NSA and CISA red and blue team share top 10 cybersecurity misconfigurations. Let's pick up with number one and get into it. So default configurations of software and applications. Do we, are we in favor of these or are we against?
Matt ColesWell, so,
Izar TarandachIf you don't configure it right, then it's a misconfiguration, then, uh, yeah, I guess it's pretty much on the top ten.
Matt ColesWell, but I mean, this is, if we have, if we talk about a default configuration, this is making an assumption that the default is bad and therefore, but, but you could say the same thing about everything on this list. If this is your default,
Izar TarandachOh, no, no, no, no, wait, wait, they go to default credentials, meaning basically the misconfiguration here is that you are not changing the default passwords, which we know that absolutely nobody ever does, everybody immediately goes and puts a safe, good password instead of the default.
Chris RomeoI mean, that's why with default credentials, you don't let people, you don't give them the choice. There is no default credential. You don't have one. You have them set a password when they're configuring the device or whatever. I wasn't going to name any names. It was supposed to be without
Izar TarandachI didn't, I just had a thing
Chris Romeoyeah, you have a little sneeze
Matt Colesso on this list, there is no default. I mean, unless you're talking about, about credential hygiene or not, there is no default credentials explicitly on this list.
Izar Tarandachyeah,
Matt ColesBut number one is a summary line. It doesn't really need to be its own number, because they have put 11 on this list. If your default configuration is insecure, of course it's going to be number one.
Chris RomeoYeah.
Matt Colesbut all of these other things are also,
Chris Romeomissing. They're, they're mixing default credentials here with poor credential hygiene at number nine. So it doesn't make sense. Why are these not combined? Why would you have two separate things here?
Matt Coleswell, so poor credential hygiene could be two things. misconfiguration of your password policies. Or it could be lack of your runtime behaviors around looking at compromised credentials. So in one case it's a configuration, in the other case it's not a configuration. So it's kind of a misleading item on this list.
Chris RomeoOkay.
Izar Tarandachone, one is what one is having the, the, the fact that you shouldn't be able to keep the default past setup. And the second one is you really should choose a good password and you should store it right.
Chris Romeohow about
Izar Tarandachthe thing that, just before we go there, the thing that I have a problem with here is that we start with default configurations, which is a big thing, and then we funnel into credentials and permissions, which is a very, very, a much smaller subset than default configurations.
Chris Romeoyeah. Yeah, they talk about service level permissions as well. But look at two. I think we're gonna love two. It's basically the E in STRIDE.
Izar TarandachI do, I do, but uh, I don't think it's a misconfiguration. I think it's usually more of a design thing
Chris RomeoOoh, good point. Let's unpack that a little bit. So why, why is this a design problem and not a misconfiguration?
Izar Tarandachbecause it, it Putting, putting it, I, I think that lumping it together as a misconfiguration under this title basically means you are, you are using accounts that have way too much, too, way too much privileges than they should. Right. Which is not exactly a problem of a problem of separation. It's a problem of the way that you design your system and you are giving one, one account the ability of being everything, rather than saying we have this set of accounts that's admin accounts and we have this set of accounts that's user accounts.
Chris RomeoI think we have a context problem. We're looking at this through the lens of AppSec and software and ProdSec people. I just took a closer look. This says top 10 cybersecurity misconfigurations. So they're not specifically talking about design, like designing a web app. They're talking about excessive account privileges and elevated service account permissions that would be part of an operating Windows network in an enterprise.
Matt ColesYeah, so let's talk about that
Izar TarandachAren't those applications?
Matt ColesWell, so think about number one, think about number one in that context then. Leaving the default configuration is the problem, right? by not changing the configuration to a secure state. If it requires elevating security, and I will just, and this is a lightning round here, but, you know, just think about the, the CISA Secure by Design, Secure by Default guidelines that came out recently in updated form. Secure by Default means come secure. And you have to weaken security. We talk about loosening guides, but most of the time come products and application applications and software are shipped in a default configuration is insecure and leaving it in that insecure configuration state puts it the number one on this list. Number two is likewise. Those things often ship with an administrative account. That administrative account may be the only account that's that's installed by default. And people will use it for operations when they shouldn't. They should create, they should create an additional account, non privileged, to be used for, for general purpose or something that's view only for, for metrics and reporting purposes or, or whatever. And you should be separation of the, the application should enforce separation of duties and users of those applications should reinforce that.
Chris RomeoAll right. So let's look at three. I don't get this one. Insufficient
Izar Tarandachfour, actually,
Matt ColesWhat, you don't get this at all? How do you, how do you, you can't measure what you don't know, right? You can't defend what you don't have
Chris Romeoyeah, but isn't everything encrypted in the world we live in now? How is, how can you monitor anything on a network that's not
Izar TarandachOh, no, no, no, no, no, no,
Chris Romeojust a bunch of TLS going back
Matt Colespacket inspection,
Izar Tarandachno, no, no, you can,
Matt ColesTLS offloading.
Izar Tarandachyou can monitor for, for, uh, streams are not predicted in your threat model. So I know that these two things are expected to talk, but if I see A talking to Z, all of a sudden, oh wait, that's not supposed to happen.
Matt ColesRight. But also with TLS offloading and deep packet inspection, I mean, once you're, yes, we're supposed to be in a world of zero trust, right, where systems are going to be on island unto themselves. But traditionally, you know, there's a network boundary where you may terminate TLS at the network boundary and then everything within it can be deep packet inspected and monitored for the traffic. And if you don't do that, then you're potentially leaving yourself at risk.
Chris RomeoI mean, can you do that at the speed of an enterprise network though? Can you, I mean, we're talking
Izar Tarandachif you use mirror traffic,
Chris Romeoin a 10 gig connection, you can decrypt all of that TLS traffic
Matt ColesWith hardware, with hardware decryption. Yeah, yeah. With hardware decryption. Absolutely.
Izar Tarandachyou can.
Chris RomeoOkay. Wow.
Izar TarandachBut the thing
Chris RomeoThe world of computing has gotten further.
Izar Tarandachthat, the thing that's sort of bothering me here is that we jumped from configuration of actual stuff and how you use stuff to all of a sudden on three and four we are looking at networks.
Chris RomeoAnd This is designed too. It
Izar TarandachAnd many times it's not the same people who do both things. So who's the public for this thing here?
Matt ColesI guess it's misleading. It's misleading because it's not a configuration. It's, it's,
Chris RomeoIt is. It is a configuration. Be when, because you could, I mean, whenever, whenever you de, whenever you de you designed, when you go to implement it, it is, you are configuring your network monitoring tools in an insufficient way.
Izar TarandachWell, you configure it because it has to be configured to be, to be of use, but it's not a configuration problem of the environment or the system or the whatever. Fair.
Matt ColesWe're nit-picking on words at this point.
Chris RomeoYeah, let's, let's keep, but to your earlier point about design, there is a design element to, if you properly design your network monitoring, you don't have insufficient network monitoring. And so
Matt ColesAnd by the way, and by the way, for four, with software defined networking, this is absolutely a configuration issue,
Chris Romeoand four, just for the record, is lack of network segmentation.
Matt Colesright? So having
Izar Tarandachcould be architecture.
Matt Colesit is, it is an architecture and it may
Izar Tarandacharchitecture now is configuration.
Matt Colesoh, we could have an episode alone on that one.
Izar TarandachI dare you. I dare you to go to an architect and say What you do is configuration. I dare you,
Chris RomeoYeah, you're, you're change management now, friend. That's what you do. It's
Matt ColesWait, isn't that, isn't that Dev, isn't that DevOps? Isn't that what DevOps and DevSecOps is all about?
Chris RomeoWhat?
Izar TarandachAnd he just said the quiet part loud.
Chris RomeoWell, there's another dollar in the swear jar from. from Matt Coles,
Matt Colesat least I didn't say pane of glass.
Chris Romeoor ShiftLeft, or any of my other,
Matt ColesSingle pane
Chris Romeoof the other words that cause pain.
Matt Colesright. So poor patch management. Number five, not a configuration per se, unless it's automatic updates we're talking about.
Chris RomeoOh, I see what you're saying.
Izar Tarandachoh, oh, speaking of the word jar, so, is this one talking about SBOMs? Is it SBOM time?
Chris RomeoPlease no. Please stop.
Matt ColesPlease
Izar Tarandachalready? Wait, do we have insufficient DAST anywhere?
Chris RomeoOh man, this is... Okay, so poor patch management, lack of regular patching, use of unsupported operating systems. To your point, this isn't a configuration unless it's an automated thing. This is just a point, this isn't the top 10 misconfigurations, it's the top 10 problems
Izar TarandachYeah, true,
Chris RomeoIt's a la so the, the, the misconfiguration would be a lack of automated patch management. Cause that's something you could change. You could turn it on or turn it off. Alright, good. Six, bypass of system access controls. Wait a minute.
Matt ColesI'm not entirely sure this is a configuration issue. This is a, this is an active attack kind of thing,
Izar Tarandachyeah, I would say that having system access controls is the configuration or misconfiguration,
Chris Romeolook at the first sentence there. That's a threat. The first sentence is a threat. A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. I
Matt Colesokay, so there's the config, there's the configuration problem, right? If you, if, and it goes back to number one, if you have a default, if the system's default configuration exposes insecure protocols and you leave them open, you're at risk to this threat. Right? Number two, the second sentence here, if a malicious actor can collect hashes. Well, how do they collect hashes? You've left Lanman in your, in your system, right? Or NTLM or whatever.
Chris RomeoAnd that you're saying that's the lack, that's the configuration problem or the
Matt Colesa configuration problem, right? So you've missed configuration. You've left insecure protocols in place.
Izar Tarandachthe whole item is just listing ways of bypassing authentication.
Matt ColesYeah, but they, they should, they should have taken the, the statements and turned'em around in, in terms of, as a systems, as a system designer and a system deployer don't leave insecure configurations because they'll allow malicious actors to do X, Y, Z. That's how it probably should have been stated. That's, I think, what they intended to say. But, but what they did was they, they took the attack first and not the, not the cause.
Chris RomeoYeah. So then seven, weaker misconfigured MFA methods.
Matt ColesOh.
Chris RomeoBut listen where they start here. Misconfigured smart cards or tokens. Generally government or DoD networks. So not really that applicable to the average enterprise. Like we don't use smart cards anywhere. At least I don't know anyone who uses smart cards.
Matt ColesUh, some companies, well yeah, okay, maybe primarily in government or DoD, but I, you know, have high security environments that do use this, use smart cards. It's not unheard of, and people use YubiKeys and other FIDO tokens all the time.
Chris RomeoI mean, that's not a smart card though, right? A YubiKeys,
Matt ColesIt's a token.
Chris Romeothey're talking
Izar Tarandacha token, it's a...
Chris RomeoThey're talking about CAC cards here from,
Matt ColesThey are. CAC and PIV, right,
Izar Tarandachare talking about tokens as well, so you could think about FIDO and all that
Matt ColesSo if you have a, if you have a, a Google Titan, or if you have a, uh, uh, a YubiKeys, right? Those are, those are access tokens. Those are tokens that are in scope here. What's interesting though, is they don't start with not having MFA in the first place. They start with the assumption that you have MFA and it's insecurely configured, not, you don't have MFA.
Chris RomeoWell, that
Matt Colesone.
Chris RomeoNot having MFA, to our earlier discussion would not be a misconfiguration.
Izar TarandachExactly, yeah,
Chris Romeobe a design problem. So they, they kind of followed the
Matt Colesunless it was a configuration option that you could enable MFA that you didn't.
Chris RomeoI see.
Izar Tarandachare assuming that you have it, but it's misconfigured.
Matt ColesThat's
Chris RomeoAll right. Now eight, we go back to network.
Izar TarandachNo, no, wait, wait, wait, but before we go there, then they jump to lack of phishing resistant MFA.
Matt ColesWhich is a configuration problem again.
Izar Tarandachis the configuration or is design of the MFA, perhaps the MFA solution is not good enough.
Matt ColesThat's true if you have one to choose from, but if you have multiples to choose from, and you don't enable, again, the strongest one available,
Izar TarandachOh, oh, no, sorry. On, on upon reading. They seem to be addressing, uh, MFA over SMS because they say that exploitation of Signaling System 7 protocol vulnerabilities and SIM swap techniques is the problem.
Matt Colesright,
Chris RomeoSo we agree with that. I mean, we agree
Matt Colesif you have the option, if you have an option of using one that
Izar Tarandachnot a misconfiguration,
Matt Colesunless it's an option,
Chris RomeoWhich a lot of times it is an option. A lot of times it is an option these days between push
Izar TarandachBut again, wait.
Chris Romeoand text based,
Izar TarandachIf you have a choice between A or B, is that a misconfiguration if you choose the weaker of them? Or is it a bad design choice?
Chris RomeoSMS based, or secure by default. So
Matt Colesit's a bad default. It's a bad default, which means it's a design. It's a configuration choice and it's a bad design in that you're giving a poor choice.
Chris RomeoYeah,
Matt ColesIt's.
Izar TarandachOK, you convinced me.
Chris Romeoall right, 8. Insufficient ACLs on network shares and services. So now we're back to the network again.
Matt ColesYeah, this is a configuration problem that most definitely you've set the wrong ACLs.
Chris Romeowe're just we're just we're saying this is a misconfig and we're moving on.
Matt ColesYep.
Chris RomeoAll right, 9 says poor credential hygiene.
Izar Tarandachthat's basically bad configuration of human persons because,
Matt ColesWell, this is, this is password. If you're using passwords and you're not using MFA or if you're using MFA with passwords and you have crackable passwords, that means you've set a weak password policy. Right? You haven't used 20 characters with symbols, alphanumeric and spaces.
Izar TarandachWait, wait, wait, we know that those policies are not all that they are hyped up to be, right?
Chris RomeoYeah, I'm, I
Matt ColesBut if you enforce a strong password policy...
Chris RomeoMean, what is the new, it's NIST 800-63, right? 800-63 redefines password policies as, as what they should be in a proper
Matt ColesLong, easy to remember, but hard to guess passphrases that don't change frequently.
Chris RomeoNot changeable, unless there's been a breach, you don't have to change them.
Izar TarandachAnd here they say that it's, if it's shorter than 15 characters, then it's bad.
Matt ColesAnd clear text password disclosure. We talked about this earlier with use of insecure protocols that expose credentials on the wire. Right? But what, what's, I guess that's, that's the, that's the choosing of a bad credential that can be easily guessed or reusing credentials and exposing it through insecure configurations. That's ultimately what it's getting to.
Izar TarandachBut again, is this a configuration thing? I mean, the only configuration that I can think of in here is the size of the password, or the choice of hashing
Chris Romeoyeah,
Izar Tarandachmethod
Chris Romeothere's, there's so much more they could have done. Like even just referencing 800-63 is. The current standard of what I think of as the best practice. Um, I don't, I don't think, I mean, if somebody is in this day and age, if they're allowing short passwords and non complex passwords, then, shame on them...
Matt ColesAnd then, and then they're, and then they talk about password stealth held in clear text. So this is not a configuration issue, right? This is not
Izar Tarandachconfiguration.
Chris RomeoThat's a design problem. They,
Izar TarandachI don't know any system that says would you like to store your passwords in clear text. Oh, okay, I'm going to configure it this way. Yay! Let's hope for the good things.
Chris RomeoAll right, we got to pick up 10 here. Unrestricted code execution. So there's a, there's a condition at the top though. If unverified programs are allowed to execute on hosts, a threat actor, Oh, it sounds like a threat, can run arbitrary malicious payloads within a network.
Matt ColesYeah. In my opinion, I don't know how you can say that this is a configuration issue unless you're running EDR,
Chris RomeoWell, can you, can you somehow force, like on Windows, can you, is there a configuration setting to only run things that are trusted binaries?
Izar Tarandachyou, you need stuff on top of it.
Matt ColesNo, but you can't, you can have Windows fail to run without prompting for UAC. You could, right, or whatever it's called now.
Chris RomeoYeah, they had a what, because it was their safe list. Didn't they build a safe list feature years ago for
Matt ColesIf it's not digitally signed, if it's not digitally signed, you can,
Izar Tarandachand the certificate is good,
Matt Colescan do, you can do group policies to prevent this.
Izar Tarandachbut unless it is a very, and I could be wrong here because I'm not a Windows person, but unless it's a very limited account. You can just click on run it anyway.
Matt ColesOh yeah, if you're, if you're running as admin, so you're running with elevated privileges, that goes back to the running with elevated privileges discussion,
Chris RomeoEnterprise application environment, not everybody has admin, right? And so, and I think that's where they're going. Now, I don't know why you would turn off those protections in a Windows environment. Why would you turn off all of these things about safe listing applications based on signatures of binaries and things like
Izar TarandachBecause Joe from accounting absolutely needs to be able to run that flash thing that he has from 95. So they have to lower the barriers and give him more
Chris RomeoI guess. Not in my world. Not in my network. I won't allow it. So, all right. Well, that was a fun little quick pass through the NSA, CISA, Red and Blue teams share top 10 cybersecurity misconfigurations. I think we kind of had some fun going through there and pointing out some things. Izar's got the
Izar Tarandachit has to be said, it has to be said that we value the effort. We like that it came out and, uh, we just think that it could be a bit more, I don't know, focused, defined,
Chris RomeoCould be tuned up a little bit to truly make it so that it's clear how everything is a misconfiguration.
Izar Tarandachright. And the mitigations have good stuff. There's a lot to learn in there as well and they have good references. So I think that all in all, 3 out of 5 for the effort.
Chris Romeoyeah, yeah. And it's, you know, they're, they're moving, they're moving the industry forward. It may not be perfect. Nobody's ever going to be perfect and that's okay. Cause there is no perfect security. Um, there is only reasonable security and some of this is reasonable and we'll leave it with that. Thanks folks.
Podcasts we love
Check out these other fine podcasts recommended by us, not an algorithm.
The Application Security Podcast
Chris Romeo and Robert Hurlbut