A joint cybersecurity advisory from government agencies of the United States, Canada, New Zealand, the Netherlands, and the United Kingdom outlined commonly exploited controls and practices, and identified best practices to mitigate the issues.
The joint advisory issued Tuesday said cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.
Malicious cyber actors often exploit these poor security practices to employ initial access techniques. Here are some of the bad practices and mitigations the joint advisory points out:
Multifactor authentication (MFA) not enforced
MFA, particularly for remote desktop access, can help prevent account takeovers. With remote desktop protocol (RDP) as one of the most common infection vectors for ransomware, MFA has become a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly administrators, from an MFA requirement.
Incorrectly applied privileges or permissions and errors within access control lists
These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects.
Software not up-to-date
Unpatched software may allow an attacker to exploit publicly-known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. It stands as one of the most commonly found poor security practices.
Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access
During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.
Unprotected cloud services
Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
Above all, the joint advisory recommends that security organizations adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. A zero-trust architecture allows for granular privilege access management and lets security teams only assign the rights users need to perform their assigned tasks.
The joint advisory also said security teams should limit the ability of a local administrator account to log in from a remote session and prevent access via an RDP session. Additionally, use dedicated administrative workstations for privileged user sessions to help limit exposure to all the threats associated with device or user compromise.