The mistakes we make and how to fix them – a new report co-authored by the NCSC reveals the 10 most common security weaknesses exploited by hackers.

A joint security alert from the National Cyber Security Centre UK (NCSC-UK) was released earlier this month, co-authored by cybersecurity bodies from the USA, Canada, New Zealand, and the Netherlands. It includes details of 10 commonly exploited security system weaknesses that allow attackers to gain initial access to your system and compromise your devices. They also offer advice on the best practices that should be followed in order to protect your system from these attacks.

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.

Sometimes, just because we know the right thing to do doesn’t mean we follow company security policy and procedures consistently. These lapses in policy implementation can create an easier route for hackers to gain access to our systems. This report is a timely reminder of the steps to take in order to avoid falling victim to these routinely exploited cyber-attacks.

Here is a list of the top 10 mistakes security managers routinely make:

Failing to enforce Multi-Factor Authentication (MFA)

Multi-factor authentication utilises two or more factors of authentication: something you know, something you have, and something you are. Using physical tokens such as security keys can improve the strength of your MFA systems, as physical objects provide phishing-resistant security. Implementing this policy across all security levels is a great way to prevent attacks using compromised passwords, but is particularly important for remote desktop access. Cyber attackers commonly attempt to gain initial access through remote desktop services, and MFA helps to prevent this. Ensure MFA policies are applied to all users – and do not make exceptions for admin accounts or high profile users such as the CEO and other company officers identifiable from LinkedIN or your company website.

Using access control lists (ACL) with improperly applied permissions and privileges

Controlling access is a great start to strengthening your network defences against frequently exploited weak security practices. ACLs allow you to choose which accounts have access to different areas of your system, letting you control which users can access the most sensitive data files, systems or network segments. ‘Allow lists’ are the most secure way of implementing this system, as all accounts and devices are implicitly denied access, so that only those on the list will be granted access permissions. A process known as account hardening is the improvement of these rules via the use of control principles. One example is the principle of least privilege, where you give each user the minimum account privileges necessary for them to complete their work. Another example is the zero-trust security model, which makes the assumption that no user or account can be trusted, regardless of assigned clearance levels. The zero trust model operates in a similar way to access control lists, and requires continuous verification in order for access to be granted.

Not keeping software up to date

Failing to properly update software is reported to be one of the most common poor security practices by the US Cybersecurity and Infrastructure Security Agency (CISA). When software updates are released by providers, they commonly disclose the vulnerabilities that are being patched. This means that if you do not immediately update your software when the update becomes available, hackers can exploit the reported weaknesses to attack your system. Using of end-of-life software, such as programs no longer supported by the developers, or unpatched software and firmware should be avoided. Tools such as vulnerability scanners can be implemented to help identify and prioritise the patching and updating of software with known vulnerabilities.

Using default usernames and passwords

When you first set up devices or applications, they commonly have additional permissions granted to user and admin accounts in order to make the set-up process more user-friendly. However, default usernames and passwords are easy for hackers to exploit, especially if the names and credentials for these administrator accounts are published online in troubleshooting or customer service documentation. Attackers gaining access to these highly privileged accounts will have access to your information as well as the ability to install malicious software on your device. Passwords for all user accounts should be changed when they are given to users, and it is good practice to change the name of the administrator account so that malicious users do not know what the high privilege account is in order to target it. Service accounts used by vendors and third parties could also be deactivated until maintenance is needed, at which point they can be activated again on a temporary basis only, to reduce the opportunity for these high permissioned accounts to be attacked.

Failing to implement and enforce strong password policies

Weak passwords allow easy access to your systems, as any permissions granted to your users can also be exploited by anyone that knows their passwords. Policies should include unique passwords for every account controlled by a single user, so that the compromising of a single account does not cause multiple systems to be affected. Password managers can be used to make it easier for your team to manage multiple credentials without the risk associated with the re-use of passwords.  The emerging ability to offer passwordless security may be appropriate for some systems in your organisation.  Account lockout rules after a number of failed login attempts and throttling of login pages can help thwart brute force password attacks.

Lax virtual private network (VPN) configuration

A VPN is a secure tunnel that connects your devices across the internet, allowing employees to access work files from home as easily and securely as if they were using the on-site office local area network. This tunnel protects you from being exposed to the internet, where any attacker could potentially attempt to access your system, and reduces the vulnerability of your connection. However, flaws in the VPN configuration or vulnerabilities in the software can expose your network to malicious users.  VPN flaws feature in the CISA list of most commonly exploited weaknesses.  MFA can increase the security of VPN connections, and installing firewalls in front of the VPN end-point can help to keep out unwanted threats. Tools such as intrusion detection and prevention systems can keep your network safe from unauthorised access by notifying you of any suspicious or anomalous behaviour on the system. Investigation and response to these detections should happen as soon as possible to limit the possible damage any threat can do to the system before it is identified and removed.

Failing to protect cloud services and cloud storage

Cloud service providers have a range of tools that can monitor abnormal access to your cloud data. Ensuring that your security systems are properly configured helps to keep your data safe and prevent theft and cryptojacking. As with physical computers, cloud-based machines can and should be protected by the use of firewalls and VPNs from unauthorised attackers and MFA provides protection from brute-force and password spraying attacks.

Leaving vulnerable ports and services open to the Internet

Access to open ports is one of the most common vulnerability findings. Cyber criminals use scanning tools that can detect ports that are left open and accessible, which they then target in a cyber-attack. In order to protect your system from becoming compromised, this vulnerability can be removed by ensuring all internet-facing services are properly configured, and open ports are not left unprotected. Cloud based PCs are not immune to this form of attack, especially when remote access ports are being utilised, so these security measures should be applied across the board. Segmentation of your network, and the implementation of a demilitarized zone (DMZ) between the internet facing services and your internal network involves the placing of firewalls between different accessible layers of your network. This means that even if an attacker gains access to one security level, the rest of your network and data is protected from the threat.  Regularly test the effectiveness of your perimeter security with a penetration test – at least once a year and after any significant configuration changes.

Poor endpoint detection and response systems

Endpoint detection systems, previously known as anti-virus software, are essential for detecting and preventing the implementation of malware on your systems. These tools work by detecting known threats and protecting your devices against malicious activity. Modern Endpoint protection systems go well beyond anti-malware and include vulnerability scanning, system hardening and web browser protections. Monitoring of anti-virus reports and log information should be conducted regularly – if you do not look at the reports to check for malicious activity then you are not taking full advantage of the protections you already have in place. Keeping log files in a separate centralised system can allow you to keep a track of events or incidents that have occurred and help investigate the reasons behind them. Security information and event management (SIEM) tools can be used to centralise log stores, and should be given additional protections in order to prevent attackers from accessing and changing the log files to hide their activities, which could prevent further investigation into an incident.

Failing to detect and blocking phishing attempts

Software can be used to prevent malicious attachments on emails from being opened. However, as many phishing attempts are zero-day attacks, not all attempts will be recognised and prevented. One of the best defences against phishing is proper training of users to spot phishing attempts and report them – such as educating staff to be cautious about receiving and opening unexpected attachments on emails. You can further protect against phishing attacks by ensuring that users do not have permission to change system configurations. Administrator access should be required in order to download and install software, or run .exe files. NCSC recommend a multi-layered approach to phishing defences, such as through the use of anti-spoofing controls, which make it harder for attackers to trick users by appearing as trustworthy sources.

The full join cybersecurity advisory can be read on the CISA website.