NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

Show Notes

Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points.

The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage.

The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.

Helpful Links:

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
     https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Transcript

Chris Romeo: 0:10

Hey folks, welcome to another episode of the security table. This is an abridged episode because we're going to talk really fast about something and have kind of a shorter episode here. Joined by Izar and Matt and myself, Chris Romeo, we're always around the security table and we're going to jump right in. So I am looking at this NSA and CISA red and blue team share top 10 cybersecurity misconfigurations. Let's pick up with number one and get into it. So default configurations of software and applications. Do we, are we in favor of these or are we against?

Matt Coles: 0:47

Well, so,

Izar Tarandach: 0:47

If you don't configure it right, then it's a misconfiguration, then, uh, yeah, I guess it's pretty much on the top ten.

Matt Coles: 0:53

Well, but I mean, this is, if we have, if we talk about a default configuration, this is making an assumption that the default is bad and therefore, but, but you could say the same thing about everything on this list. If this is your default,

Izar Tarandach: 1:06

Oh, no, no, no, no, wait, wait, they go to default credentials, meaning basically the misconfiguration here is that you are not changing the default passwords, which we know that absolutely nobody ever does, everybody immediately goes and puts a safe, good password instead of the default.

Chris Romeo: 1:24

I mean, that's why with default credentials, you don't let people, you don't give them the choice. There is no default credential. You don't have one. You have them set a password when they're configuring the device or whatever. I wasn't going to name any names. It was supposed to be without

Izar Tarandach: 1:39

I didn't, I just had a thing

Chris Romeo: 1:41

yeah, you have a little sneeze

Matt Coles: 1:43

so on this list, there is no default. I mean, unless you're talking about, about credential hygiene or not, there is no default credentials explicitly on this list.

Izar Tarandach: 1:53

yeah,

Matt Coles: 1:54

But number one is a summary line. It doesn't really need to be its own number, because they have put 11 on this list. If your default configuration is insecure, of course it's going to be number one.

Chris Romeo: 2:08

Yeah.

Matt Coles: 2:08

but all of these other things are also,

Chris Romeo: 2:11

missing. They're, they're mixing default credentials here with poor credential hygiene at number nine. So it doesn't make sense. Why are these not combined? Why would you have two separate things here?

Matt Coles: 2:20

well, so poor credential hygiene could be two things. misconfiguration of your password policies. Or it could be lack of your runtime behaviors around looking at compromised credentials. So in one case it's a configuration, in the other case it's not a configuration. So it's kind of a misleading item on this list.

Chris Romeo: 2:39

Okay.

Izar Tarandach: 2:40

one, one is what one is having the, the, the fact that you shouldn't be able to keep the default past setup. And the second one is you really should choose a good password and you should store it right.

Chris Romeo: 2:56

how about

Izar Tarandach: 2:57

the thing that, just before we go there, the thing that I have a problem with here is that we start with default configurations, which is a big thing, and then we funnel into credentials and permissions, which is a very, very, a much smaller subset than default configurations.

Chris Romeo: 3:13

yeah. Yeah, they talk about service level permissions as well. But look at two. I think we're gonna love two. It's basically the E in STRIDE.

Izar Tarandach: 3:21

I do, I do, but uh, I don't think it's a misconfiguration. I think it's usually more of a design thing

Chris Romeo: 3:27

Ooh, good point. Let's unpack that a little bit. So why, why is this a design problem and not a misconfiguration?

Izar Tarandach: 3:35

because it, it Putting, putting it, I, I think that lumping it together as a misconfiguration under this title basically means you are, you are using accounts that have way too much, too, way too much privileges than they should. Right. Which is not exactly a problem of a problem of separation. It's a problem of the way that you design your system and you are giving one, one account the ability of being everything, rather than saying we have this set of accounts that's admin accounts and we have this set of accounts that's user accounts.

Chris Romeo: 4:12

I think we have a context problem. We're looking at this through the lens of AppSec and software and ProdSec people. I just took a closer look. This says top 10 cybersecurity misconfigurations. So they're not specifically talking about design, like designing a web app. They're talking about excessive account privileges and elevated service account permissions that would be part of an operating Windows network in an enterprise.

Matt Coles: 4:36

Yeah, so let's talk about that

Izar Tarandach: 4:38

Aren't those applications?

Matt Coles: 4:39

Well, so think about number one, think about number one in that context then. Leaving the default configuration is the problem, right? by not changing the configuration to a secure state. If it requires elevating security, and I will just, and this is a lightning round here, but, you know, just think about the, the CISA Secure by Design, Secure by Default guidelines that came out recently in updated form. Secure by Default means come secure. And you have to weaken security. We talk about loosening guides, but most of the time come products and application applications and software are shipped in a default configuration is insecure and leaving it in that insecure configuration state puts it the number one on this list. Number two is likewise. Those things often ship with an administrative account. That administrative account may be the only account that's that's installed by default. And people will use it for operations when they shouldn't. They should create, they should create an additional account, non privileged, to be used for, for general purpose or something that's view only for, for metrics and reporting purposes or, or whatever. And you should be separation of the, the application should enforce separation of duties and users of those applications should reinforce that.

Chris Romeo: 5:59

All right. So let's look at three. I don't get this one. Insufficient

Izar Tarandach: 6:03

four, actually,

Matt Coles: 6:05

What, you don't get this at all? How do you, how do you, you can't measure what you don't know, right? You can't defend what you don't have

Chris Romeo: 6:11

yeah, but isn't everything encrypted in the world we live in now? How is, how can you monitor anything on a network that's not

Izar Tarandach: 6:17

Oh, no, no, no, no, no, no,

Chris Romeo: 6:17

just a bunch of TLS going back

Matt Coles: 6:18

packet inspection,

Izar Tarandach: 6:19

no, no, no, you can,

Matt Coles: 6:19

TLS offloading.

Izar Tarandach: 6:21

you can monitor for, for, uh, streams are not predicted in your threat model. So I know that these two things are expected to talk, but if I see A talking to Z, all of a sudden, oh wait, that's not supposed to happen.

Matt Coles: 6:36

Right. But also with TLS offloading and deep packet inspection, I mean, once you're, yes, we're supposed to be in a world of zero trust, right, where systems are going to be on island unto themselves. But traditionally, you know, there's a network boundary where you may terminate TLS at the network boundary and then everything within it can be deep packet inspected and monitored for the traffic. And if you don't do that, then you're potentially leaving yourself at risk.

Chris Romeo: 7:02

I mean, can you do that at the speed of an enterprise network though? Can you, I mean, we're talking

Izar Tarandach: 7:09

if you use mirror traffic,

Chris Romeo: 7:11

in a 10 gig connection, you can decrypt all of that TLS traffic

Matt Coles: 7:16

With hardware, with hardware decryption. Yeah, yeah. With hardware decryption. Absolutely.

Izar Tarandach: 7:20

you can.

Chris Romeo: 7:22

Okay. Wow.

Izar Tarandach: 7:23

But the thing

Chris Romeo: 7:24

The world of computing has gotten further.

Izar Tarandach: 7:26

that, the thing that's sort of bothering me here is that we jumped from configuration of actual stuff and how you use stuff to all of a sudden on three and four we are looking at networks.

Chris Romeo: 7:41

And This is designed too. It

Izar Tarandach: 7:43

And many times it's not the same people who do both things. So who's the public for this thing here?

Matt Coles: 7:48

I guess it's misleading. It's misleading because it's not a configuration. It's, it's,

Chris Romeo: 7:53

It is. It is a configuration. Be when, because you could, I mean, whenever, whenever you de, whenever you de you designed, when you go to implement it, it is, you are configuring your network monitoring tools in an insufficient way.

Izar Tarandach: 8:07

Well, you configure it because it has to be configured to be, to be of use, but it's not a configuration problem of the environment or the system or the whatever. Fair.

Matt Coles: 8:17

We're nit-picking on words at this point.

Chris Romeo: 8:19

Yeah, let's, let's keep, but to your earlier point about design, there is a design element to, if you properly design your network monitoring, you don't have insufficient network monitoring. And so

Matt Coles: 8:31

And by the way, and by the way, for four, with software defined networking, this is absolutely a configuration issue,

Chris Romeo: 8:37

and four, just for the record, is lack of network segmentation.

Matt Coles: 8:41

right? So having

Izar Tarandach: 8:42

could be architecture.

Matt Coles: 8:44

it is, it is an architecture and it may

Izar Tarandach: 8:47

architecture now is configuration.

Matt Coles: 8:51

oh, we could have an episode alone on that one.

Izar Tarandach: 8:53

I dare you. I dare you to go to an architect and say What you do is configuration. I dare you,

Chris Romeo: 8:59

Yeah, you're, you're change management now, friend. That's what you do. It's

Matt Coles: 9:03

Wait, isn't that, isn't that Dev, isn't that DevOps? Isn't that what DevOps and DevSecOps is all about?

Chris Romeo: 9:08

What?

Izar Tarandach: 9:09

And he just said the quiet part loud.

Chris Romeo: 9:13

Well, there's another dollar in the swear jar from. from Matt Coles,

Matt Coles: 9:17

at least I didn't say pane of glass.

Chris Romeo: 9:20

or ShiftLeft, or any of my other,

Matt Coles: 9:22

Single pane

Chris Romeo: 9:23

of the other words that cause pain.

Matt Coles: 9:26

right. So poor patch management. Number five, not a configuration per se, unless it's automatic updates we're talking about.

Chris Romeo: 9:34

Oh, I see what you're saying.

Izar Tarandach: 9:35

oh, oh, speaking of the word jar, so, is this one talking about SBOMs? Is it SBOM time?

Chris Romeo: 9:44

Please no. Please stop.

Matt Coles: 9:48

Please

Izar Tarandach: 9:52

already? Wait, do we have insufficient DAST anywhere?

Chris Romeo: 9:56

Oh man, this is... Okay, so poor patch management, lack of regular patching, use of unsupported operating systems. To your point, this isn't a configuration unless it's an automated thing. This is just a point, this isn't the top 10 misconfigurations, it's the top 10 problems

Izar Tarandach: 10:13

Yeah, true,

Chris Romeo: 10:15

It's a la so the, the, the misconfiguration would be a lack of automated patch management. Cause that's something you could change. You could turn it on or turn it off. Alright, good. Six, bypass of system access controls. Wait a minute.

Matt Coles: 10:28

I'm not entirely sure this is a configuration issue. This is a, this is an active attack kind of thing,

Izar Tarandach: 10:32

yeah, I would say that having system access controls is the configuration or misconfiguration,

Chris Romeo: 10:39

look at the first sentence there. That's a threat. The first sentence is a threat. A malicious actor can bypass system access controls by compromising alternate authentication methods in an environment. I

Matt Coles: 10:48

okay, so there's the config, there's the configuration problem, right? If you, if, and it goes back to number one, if you have a default, if the system's default configuration exposes insecure protocols and you leave them open, you're at risk to this threat. Right? Number two, the second sentence here, if a malicious actor can collect hashes. Well, how do they collect hashes? You've left Lanman in your, in your system, right? Or NTLM or whatever.

Chris Romeo: 11:11

And that you're saying that's the lack, that's the configuration problem or the

Matt Coles: 11:14

a configuration problem, right? So you've missed configuration. You've left insecure protocols in place.

Izar Tarandach: 11:20

the whole item is just listing ways of bypassing authentication.

Matt Coles: 11:25

Yeah, but they, they should, they should have taken the, the statements and turned'em around in, in terms of, as a systems, as a system designer and a system deployer don't leave insecure configurations because they'll allow malicious actors to do X, Y, Z. That's how it probably should have been stated. That's, I think, what they intended to say. But, but what they did was they, they took the attack first and not the, not the cause.

Chris Romeo: 11:47

Yeah. So then seven, weaker misconfigured MFA methods.

Matt Coles: 11:54

Oh.

Chris Romeo: 11:55

But listen where they start here. Misconfigured smart cards or tokens. Generally government or DoD networks. So not really that applicable to the average enterprise. Like we don't use smart cards anywhere. At least I don't know anyone who uses smart cards.

Matt Coles: 12:10

Uh, some companies, well yeah, okay, maybe primarily in government or DoD, but I, you know, have high security environments that do use this, use smart cards. It's not unheard of, and people use YubiKeys and other FIDO tokens all the time.

Chris Romeo: 12:24

I mean, that's not a smart card though, right? A YubiKeys,

Matt Coles: 12:27

It's a token.

Chris Romeo: 12:28

they're talking

Izar Tarandach: 12:28

a token, it's a...

Chris Romeo: 12:29

They're talking about CAC cards here from,

Matt Coles: 12:31

They are. CAC and PIV, right,

Izar Tarandach: 12:33

are talking about tokens as well, so you could think about FIDO and all that

Matt Coles: 12:37

So if you have a, if you have a, a Google Titan, or if you have a, uh, uh, a YubiKeys, right? Those are, those are access tokens. Those are tokens that are in scope here. What's interesting though, is they don't start with not having MFA in the first place. They start with the assumption that you have MFA and it's insecurely configured, not, you don't have MFA.

Chris Romeo: 12:58

Well, that

Matt Coles: 12:59

one.

Chris Romeo: 12:59

Not having MFA, to our earlier discussion would not be a misconfiguration.

Izar Tarandach: 13:02

Exactly, yeah,

Chris Romeo: 13:03

be a design problem. So they, they kind of followed the

Matt Coles: 13:05

unless it was a configuration option that you could enable MFA that you didn't.

Chris Romeo: 13:09

I see.

Izar Tarandach: 13:10

are assuming that you have it, but it's misconfigured.

Matt Coles: 13:12

That's

Chris Romeo: 13:13

All right. Now eight, we go back to network.

Izar Tarandach: 13:15

No, no, wait, wait, wait, but before we go there, then they jump to lack of phishing resistant MFA.

Matt Coles: 13:20

Which is a configuration problem again.

Izar Tarandach: 13:23

is the configuration or is design of the MFA, perhaps the MFA solution is not good enough.

Matt Coles: 13:28

That's true if you have one to choose from, but if you have multiples to choose from, and you don't enable, again, the strongest one available,

Izar Tarandach: 13:37

Oh, oh, no, sorry. On, on upon reading. They seem to be addressing, uh, MFA over SMS because they say that exploitation of Signaling System 7 protocol vulnerabilities and SIM swap techniques is the problem.

Matt Coles: 13:51

right,

Chris Romeo: 13:52

So we agree with that. I mean, we agree

Matt Coles: 13:54

if you have the option, if you have an option of using one that

Izar Tarandach: 13:56

not a misconfiguration,

Matt Coles: 13:58

unless it's an option,

Chris Romeo: 14:00

Which a lot of times it is an option. A lot of times it is an option these days between push

Izar Tarandach: 14:05

But again, wait.

Chris Romeo: 14:06

and text based,

Izar Tarandach: 14:09

If you have a choice between A or B, is that a misconfiguration if you choose the weaker of them? Or is it a bad design choice?

Chris Romeo: 14:21

SMS based, or secure by default. So

Matt Coles: 14:23

it's a bad default. It's a bad default, which means it's a design. It's a configuration choice and it's a bad design in that you're giving a poor choice.

Chris Romeo: 14:34

Yeah,

Matt Coles: 14:35

It's.

Izar Tarandach: 14:35

OK, you convinced me.

Chris Romeo: 14:37

all right, 8. Insufficient ACLs on network shares and services. So now we're back to the network again.

Matt Coles: 14:42

Yeah, this is a configuration problem that most definitely you've set the wrong ACLs.

Chris Romeo: 14:46

we're just we're just we're saying this is a misconfig and we're moving on.

Matt Coles: 14:50

Yep.

Chris Romeo: 14:51

All right, 9 says poor credential hygiene.

Izar Tarandach: 14:56

that's basically bad configuration of human persons because,

Matt Coles: 15:02

Well, this is, this is password. If you're using passwords and you're not using MFA or if you're using MFA with passwords and you have crackable passwords, that means you've set a weak password policy. Right? You haven't used 20 characters with symbols, alphanumeric and spaces.

Izar Tarandach: 15:17

Wait, wait, wait, we know that those policies are not all that they are hyped up to be, right?

Chris Romeo: 15:23

Yeah, I'm, I

Matt Coles: 15:23

But if you enforce a strong password policy...

Chris Romeo: 15:25

Mean, what is the new, it's NIST 800-63, right? 800-63 redefines password policies as, as what they should be in a proper

Matt Coles: 15:35

Long, easy to remember, but hard to guess passphrases that don't change frequently.

Chris Romeo: 15:39

Not changeable, unless there's been a breach, you don't have to change them.

Izar Tarandach: 15:41

And here they say that it's, if it's shorter than 15 characters, then it's bad.

Matt Coles: 15:47

And clear text password disclosure. We talked about this earlier with use of insecure protocols that expose credentials on the wire. Right? But what, what's, I guess that's, that's the, that's the choosing of a bad credential that can be easily guessed or reusing credentials and exposing it through insecure configurations. That's ultimately what it's getting to.

Izar Tarandach: 16:13

But again, is this a configuration thing? I mean, the only configuration that I can think of in here is the size of the password, or the choice of hashing

Chris Romeo: 16:22

yeah,

Izar Tarandach: 16:23

method

Chris Romeo: 16:24

there's, there's so much more they could have done. Like even just referencing 800-63 is. The current standard of what I think of as the best practice. Um, I don't, I don't think, I mean, if somebody is in this day and age, if they're allowing short passwords and non complex passwords, then, shame on them...

Matt Coles: 16:46

And then, and then they're, and then they talk about password stealth held in clear text. So this is not a configuration issue, right? This is not

Izar Tarandach: 16:52

configuration.

Chris Romeo: 16:53

That's a design problem. They,

Izar Tarandach: 16:54

I don't know any system that says would you like to store your passwords in clear text. Oh, okay, I'm going to configure it this way. Yay! Let's hope for the good things.

Chris Romeo: 17:03

All right, we got to pick up 10 here. Unrestricted code execution. So there's a, there's a condition at the top though. If unverified programs are allowed to execute on hosts, a threat actor, Oh, it sounds like a threat, can run arbitrary malicious payloads within a network.

Matt Coles: 17:17

Yeah. In my opinion, I don't know how you can say that this is a configuration issue unless you're running EDR,

Chris Romeo: 17:23

Well, can you, can you somehow force, like on Windows, can you, is there a configuration setting to only run things that are trusted binaries?

Izar Tarandach: 17:33

you, you need stuff on top of it.

Matt Coles: 17:36

No, but you can't, you can have Windows fail to run without prompting for UAC. You could, right, or whatever it's called now.

Chris Romeo: 17:43

Yeah, they had a what, because it was their safe list. Didn't they build a safe list feature years ago for

Matt Coles: 17:48

If it's not digitally signed, if it's not digitally signed, you can,

Izar Tarandach: 17:51

and the certificate is good,

Matt Coles: 17:53

can do, you can do group policies to prevent this.

Izar Tarandach: 17:56

but unless it is a very, and I could be wrong here because I'm not a Windows person, but unless it's a very limited account. You can just click on run it anyway.

Matt Coles: 18:06

Oh yeah, if you're, if you're running as admin, so you're running with elevated privileges, that goes back to the running with elevated privileges discussion,

Chris Romeo: 18:12

Enterprise application environment, not everybody has admin, right? And so, and I think that's where they're going. Now, I don't know why you would turn off those protections in a Windows environment. Why would you turn off all of these things about safe listing applications based on signatures of binaries and things like

Izar Tarandach: 18:32

Because Joe from accounting absolutely needs to be able to run that flash thing that he has from 95. So they have to lower the barriers and give him more

Chris Romeo: 18:46

I guess. Not in my world. Not in my network. I won't allow it. So, all right. Well, that was a fun little quick pass through the NSA, CISA, Red and Blue teams share top 10 cybersecurity misconfigurations. I think we kind of had some fun going through there and pointing out some things. Izar's got the

Izar Tarandach: 19:09

it has to be said, it has to be said that we value the effort. We like that it came out and, uh, we just think that it could be a bit more, I don't know, focused, defined,

Chris Romeo: 19:24

Could be tuned up a little bit to truly make it so that it's clear how everything is a misconfiguration.

Izar Tarandach: 19:31

right. And the mitigations have good stuff. There's a lot to learn in there as well and they have good references. So I think that all in all, 3 out of 5 for the effort.

Chris Romeo: 19:43

yeah, yeah. And it's, you know, they're, they're moving, they're moving the industry forward. It may not be perfect. Nobody's ever going to be perfect and that's okay. Cause there is no perfect security. Um, there is only reasonable security and some of this is reasonable and we'll leave it with that. Thanks folks.