CISA’s Weak Security Controls List
Date: 2022-06-09
Author: Carolina Martinez, General Manager
The Cybersecurity & Infrastructure Security Agency (CISA), together with cybersecurity authorities from the United States, Canada, New Zealand, Netherlands, and the UK published a joint advisory that identifies commonly exploited controls and practices used by cyber criminals to gain initial access to a victims’ network.
The CISA partners included Federal Bureau of Investigation (FBI), National Security Agency, and international partners from the Canadian Center for Cyber Security (CCCS), New Zealand’s National Cyber Security Center (NZ NCSC), and Computer Emergency Response Team (CERT NZ), Netherlands’ Nationaal Cyber Security Centrum (NCSC-NL), and United Kingdom’s National Cyber Security Center (NCSC-UK).
The joint advisory shares 5 techniques used to gain initial access to a victim’s network, most of which we are very familiar with. The one that still catches our attention (not because it’s new but because it’s the most well-known) among the top of the list: phishing. Recent research by IRONSCALE shares that 81% of organizations around the world have experienced an increase in phishing attacks since 2020. Verizon’s 2021 DBIR data research concludes that 25% of data breaches involve phishing.
Granted, phishing involves a human element that can be wisely mitigated by company training however, the joint advisory relates that it’s not only the victim to blame, but poor cyber hygiene practices the organization manages to ignore. It’s not a question of the IT budget at hand, but how well the affordable practices are valued enough to implement.
CISA’s joint advisory leaders released the top ten poor security practices that allow weak security controls:
- Multi-Factor Authentication (MFA) is not enforced.
- Incorrectly applied privileges or permissions and errors within access control lists.
- Software is not up to date.
- Use of vendor-supplied default configurations or default login usernames and passwords.
- Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access.
- Strong password policies are not implemented.
- Cloud services are unprotected.
- Open ports and misconfigured services are exposed to the internet.
- Failure to detect or block phishing attempts.
- Poor endpoint detection and response.
If you’ve been around Versasec for a while, you know our strong belief in Multi-Factor Authentication (MFA). We have discussed in the past the denials, myths, and truths around MFA in two different blogs and now more than ever it is easier to implement. The market now offers a vast array of MFA solutions to fit any company’s size, budget, and convenience in use. Our award-winning vSEC:CMS is always evolving with the latest trends and technologies to ease the deployment of MFA tokens and integrate with other highly secure ecosystems in an effortless manner.
With Versasec’s credential management system vSEC:CMS the difficulty and complexity of implementing MFA become history. We have successfully walked with organizations, from small to large, to centralize all their MFA needs and use cases in one solution. Our software integrates powerfully with top players in the Identity Access Management space: Certificate Authorities, Credential Manufacturers tokens (including virtual credentials), HSM’s, PAC’s, Printers, to enable easy authentication and cryptographic operations.
Reach out to a Versasec expert today and talk to us about your MFA needs!
vSEC:CMS
Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.
Free Product Trial
Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.
Job Openings
We are always looking for new exceptional persons to join our team! Find out more about our job openings.