Cybersecurity and Infrastructure Security Agency (CISA) has released a news advisory stating that cyber criminals have been taking advantage of users’ “poor security configurations, weak controls and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.” Additionally, the agency as part of the statement reviews the 10 most prevalent ways hackers breach networks and the methods companies can use to help mitigate the risk faced by potential attacks.
10 most common cyberattack vectors
Per CISA’s findings, the following approaches are most employed by hackers to gain access to a user or organization’s networks and/or systems:
- Multi Factor authentication (MFA) not being enforced
- Incorrectly applied privileges or permissions and errors within access control lists
- Software not being up to date
- Use of vendor-supplied default configurations or default login usernames and passwords
- Remote services lacking sufficient controls to prevent unauthorized access
- Strong password policies are not implemented
- Cloud services are unprotected
- Open ports and misconfigured services being exposed to the internet
- Failure to detect or block phishing attempts
- Poor endpoint detection and response
“As lists go, this is a very good one and enumerates the most common reasons organizations fall victim to cyberattacks,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “By following CISA’s recommendations, organizations can drastically improve their security posture and resilience to cyberattack. That said, many of these items can be difficult to implement, especially at organizations that don’t already have a strong culture of cybersecurity. It’s also difficult for an organization without an existing culture to know where to begin as well.”
As seen with many of these attack vectors, most are caused due to user or organizational errors. In order to best avoid cyber criminals gaining access to the system or network in question, it is recommended that the user or organization managing the device always follow best practices when it comes to protecting against potential cyberattacks.
Roger Grimes, data-driven defense evangelist at KnowBe4, has a different opinion on the advisory, noting that CISA is not highlighting the areas that users and enterprises need to be most aware of.
“Unfortunately, like most of these types of warnings, it does not tell readers one huge truth that they need to know, and it is that phishing and social engineering are 50% to 90% of the problem,” Grimes said. “Like most warnings, it mentions phishing and social engineering almost in passing. None of the mitigations mention fighting phishing or social engineering attacks, such as better training employees to recognize and defeat phishing attacks. Social engineering is the biggest threat by far, but it is barely mentioned, so no one who is reading the document would know that defeating it is the single best thing you can do.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
CISA’s tips on mitigating risk factors
In addition to CISA issuing the top-10 attack vectors for cyber criminals, the agency also included the following suggestions for those who may come under fire from hackers:
- Control access through zero-trust security
- Implement credential hardening by implementing MFA
- Establish centralized log management
- Employ antivirus programs
- Employ detection tools and search for vulnerabilities
- Maintain rigorous configuration management programs
- Initiate a software and patch management program
While some of these tips may seem obvious to those in the IT space, such as using antivirus software, detection tools and keeping software up to date with patches, some of the tips may be harder to actively put into practice, especially for smaller businesses. One example raised by Clements is CISA’s urging of employing a zero-trust model. In the advisory, the agency does not review how an organization would go about doing this from scratch, and only touches on the surface benefits of doing so.
“The mitigations list starts with ‘Adopt a zero-trust security model’. Zero trust can be an incredibly effective approach to network defense but can also be a significant undertaking to implement,” Clements said. “This is particularly true for organizations with large environments, legacy dependencies, or limited resources for staff or budget. As such, it’s critical for every organization to adopt a true culture of security to evaluate their individual risk, which best practices can be implemented quickly, and form both a short- and long-term strategy for defense. A [security operations center] is a great thing to have, but not all organizations will have the resources to build and staff their own.”
While the advisory does go into a fair bit of detail on how these tips can help avoid being the next victims of cyberattack, it is ultimately left up to the enterprise and its executives on how best to execute these initiatives.