October 24, 2023 • 20 mins
Matt, Chris, and Izar discuss the recently published "NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations." They review each point and critically analyze the document's content, pointing out areas where the terminology might be misleading or where the emphasis should be shifted. As they work through the top ten list, several trends and larger conversations appear out of the individual points.
The trio delves into the nuances of system configurations, emphasizing the risks associated with default settings that expose insecure protocols. Systems should not provide options that are inherently insecure! They also touch upon the challenges of network segmentation in the era of software-defined networking and the implications of poor patch management. They highlight the importance of understanding the difference between configuration problems and design flaws, particularly in password management and storage.
The discussion provides insights into the complexities of cybersecurity and the challenges of ensuring that systems are both user-friendly and secure. The dynamic exchange underscores the importance of continuous learning and adaptation in the ever-evolving field of cybersecurity.
Helpful Links:
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:10):
Hey folks, welcome to another episode of the
security table.
This is an abridged episodebecause we're going to talk
really fast about something andhave kind of a shorter episode
here.
Joined by Izar and Matt andmyself, Chris Romeo, we're
always around the security tableand we're going to jump right
in.
So I am looking at this NSA andCISA red and blue team share top
(00:32):
10 cybersecuritymisconfigurations.
Let's pick up with number oneand get into it.
So default configurations ofsoftware and applications.
Do we, are we in favor of theseor are we against?
Matt Coles (00:47):
Well, so,
Izar Tarandach (00:47):
If you don't configure it right, then it's a
misconfiguration, then, uh,yeah, I guess it's pretty much
on the top ten.
Matt Coles (00:53):
Well, but I mean, this is, if we have, if we talk
about a default configuration,this is making an assumption
that the default is bad andtherefore, but, but you could
say the same thing abouteverything on this list.
If this is your default,
Izar Tarandach (01:06):
Oh, no, no, no, no, wait, wait, they go to
default credentials, meaningbasically the misconfiguration
here is that you are notchanging the default passwords,
which we know that absolutelynobody ever does, everybody
immediately goes and puts asafe, good password instead of
the default.
Chris Romeo (01:24):
I mean, that's why with default credentials, you
don't let people, you don't givethem the choice.
There is no default credential.
You don't have one.
You have them set a passwordwhen they're configuring the
device or whatever.
I wasn't going to name anynames.
It was supposed to be without
Izar Tarandach (01:39):
I didn't, I just had a thing
Chris Romeo (01:41):
yeah, you have a little sneeze
Matt Coles (01:43):
so on this list, there is no default.
I mean, unless you're talkingabout, about credential hygiene
or not, there is no defaultcredentials explicitly on this
list.
Izar Tarandach (01:53):
yeah,
Matt Coles (01:54):
But number one is a summary line.
It doesn't really need to be itsown number, because they have
put 11 on this list.
If your default configuration isinsecure, of course it's going
to be number one.
Chris Romeo (02:08):
Yeah.
Matt Coles (02:08):
but all of these other things are also,
Chris Romeo (02:11):
missing.
They're, they're mixing defaultcredentials here with poor
credential hygiene at numbernine.
So it doesn't make sense.
Why are these not combined?
Why would you have two separatethings here?
Matt Coles (02:20):
well, so poor credential hygiene could be two
things.
misconfiguration of yourpassword policies.
Or it could be lack of yourruntime behaviors around looking
at compromised credentials.
So in one case it's aconfiguration, in the other case
it's not a configuration.
So it's kind of a misleadingitem on this list.
Chris Romeo (02:39):
Okay.
Izar Tarandach (02:40):
one, one is what one is having the, the, the fact
that you shouldn't be able tokeep the default past setup.
And the second one is you reallyshould choose a good password
and you should store it right.
Chris Romeo (02:56):
how about
Izar Tarandach (02:57):
the thing that, just before we go there, the
thing that I have a problem withhere is that we start with
default configurations, which isa big thing, and then we funnel
into credentials andpermissions, which is a very,
very, a much smaller subset thandefault configurations.
Chris Romeo (03:13):
yeah.
Yeah, they talk about servicelevel permissions as well.
But look at two.
I think we're gonna love two.
It's basically the E in STRIDE.
Izar Tarandach (03:21):
I do, I do, but uh, I don't think it's a
misconfiguration.
I think it's usually more of adesign thing
Chris Romeo (03:27):
Ooh, good point.
Let's unpack that a little bit.
So why, why is this a designproblem and not a
misconfiguration?
Izar Tarandach (03:35):
because it, it Putting, putting it, I, I think
that lumping it together as amisconfiguration under this
title basically means you are,you are using accounts that have
way too much, too, way too muchprivileges than they should.
Right.
Which is not exactly a problemof a problem of separation.
(03:58):
It's a problem of the way thatyou design your system and you
are giving one, one account theability of being everything,
rather than saying we have thisset of accounts that's admin
accounts and we have this set ofaccounts that's user accounts.
Chris Romeo (04:12):
I think we have a context problem.
We're looking at this throughthe lens of AppSec and software
and ProdSec people.
I just took a closer look.
This says top 10 cybersecuritymisconfigurations.
So they're not specificallytalking about design, like
designing a web app.
They're talking about excessiveaccount privileges and elevated
service account permissions thatwould be part of an operating
(04:34):
Windows network in anenterprise.
Matt Coles (04:36):
Yeah, so let's talk about that
Izar Tarandach (04:38):
Aren't those applications?
Matt Coles (04:39):
Well, so think about number one, think about number
one in that context then.
Leaving the defaultconfiguration is the problem,
right?
by not changing theconfiguration to a secure state.
If it requires elevatingsecurity, and I will just, and
this is a lightning round here,but, you know, just think about
the, the CISA Secure by Design,Secure by Default guidelines
(05:02):
that came out recently inupdated form.
Secure by Default means comesecure.
And you have to weaken security.
We talk about loosening guides,but most of the time come
products and applicationapplications and software are
shipped in a defaultconfiguration is insecure and
leaving it in that insecureconfiguration state puts it the
(05:23):
number one on this list.
Number two is likewise.
Those things often ship with anadministrative account.
That administrative account maybe the only account that's
that's installed by default.
And people will use it foroperations when they shouldn't.
They should create, they shouldcreate an additional account,
non privileged, to be used for,for general purpose or something
(05:45):
that's view only for, formetrics and reporting purposes
or, or whatever.
And you should be separation ofthe, the application should
enforce separation of duties andusers of those applications
should reinforce that.
Chris Romeo (05:59):
All right.
So let's look at three.
I don't get this one.
Insufficient
Izar Tarandach (06:03):
four, actually,
Matt Coles (06:05):
What, you don't get this at all?
How do you, how do you, youcan't measure what you don't
know, right?
You can't defend what you don'thave
Chris Romeo (06:11):
yeah, but isn't everything encrypted in the
world we live in now?
How is, how can you monitoranything on a network that's not
Izar Tarandach (06:17):
Oh, no, no, no, no, no, no,
Chris Romeo (06:17):
just a bunch of TLS going back
Matt Coles (06:18):
packet inspection,
Izar Tarandach (06:19):
no, no, no, you can,
Matt Coles (06:19):
TLS offloading.
Izar Tarandach (06:21):
you can monitor for, for, uh, streams are not
predicted in your threat model.
So I know that these two thingsare expected to talk, but if I
see A talking to Z, all of asudden, oh wait, that's not
supposed to happen.
Matt Coles (06:36):
Right.
But also with TLS offloading anddeep packet inspection, I mean,
once you're, yes, we're supposedto be in a world of zero trust,
right, where systems are goingto be on island unto themselves.
But traditionally, you know,there's a network boundary where
you may terminate TLS at thenetwork boundary and then
everything within it can be deeppacket inspected and monitored
(06:57):
for the traffic.
And if you don't do that, thenyou're potentially leaving
yourself at risk.
Chris Romeo (07:02):
I mean, can you do that at the speed of an
enterprise network though?
Can you, I mean, we're talking
Izar Tarandach (07:09):
if you use mirror traffic,
Chris Romeo (07:11):
in a 10 gig connection, you can decrypt all
of that TLS traffic
Matt Coles (07:16):
With hardware, with hardware decryption.
Yeah, yeah.
With hardware decryption.
Absolutely.
Izar Tarandach (07:20):
you can.
Chris Romeo (07:22):
Okay.
Wow.
Izar Tarandach (07:23):
But the thing
Chris Romeo (07:24):
The world of computing has gotten further.
Izar Tarandach (07:26):
that, the thing that's sort of bothering me here
is that we jumped fromconfiguration of actual stuff
and how you use stuff to all ofa sudden on three and four we
are looking at networks.
Chris Romeo (07:41):
And This is designed too.
It
Izar Tarandach (07:43):
And many times it's not the same people who do
both things.
So who's the public for thisthing here?
Matt Coles (07:48):
I guess it's misleading.
It's misleading because it's nota configuration.
It's, it's,
Chris Romeo (07:53):
It is.
It is a configuration.
Be when, because you could, Imean, whenever, whenever you de,
whenever you de you designed,when you go to implement it, it
is, you are configuring yournetwork monitoring tools in an
insufficient way.
Izar Tarandach (08:07):
Well, you configure it because it has to
be configured to be, to be ofuse, but it's not a
configuration problem of theenvironment or the system or the
whatever.
Fair.
Matt Coles (08:17):
We're nit-picking on words at this point.
Chris Romeo (08:19):
Yeah, let's, let's keep, but to your earlier point
about design, there is a designelement to, if you properly
design your network monitoring,you don't have insufficient
network monitoring.
And so
Matt Coles (08:31):
And by the way, and by the way, for four, with
software defined networking,this is absolutely a
configuration issue,
Chris Romeo (08:37):
and four, just for the record, is lack of network
segmentation.
Matt Coles (08:41):
right?
So having
Izar Tarandach (08:42):
could be architecture.
Matt Coles (08:44):
it is, it is an architecture and it may
Izar Tarandach (08:47):
architecture now is configuration.
Matt Coles (08:51):
oh, we could have an episode alone on that one.
Izar Tarandach (08:53):
I dare you.
I dare you to go to an architectand say What you do is
configuration.
I dare you,
Chris Romeo (08:59):
Yeah, you're, you're change management now,
friend.
That's what you do.
It's
Matt Coles (09:03):
Wait, isn't that, isn't that Dev, isn't that
DevOps?
Isn't that what DevOps andDevSecOps is all about?
Chris Romeo (09:08):
What?
Izar Tarandach (09:09):
And he just said the quiet part loud.
Chris Romeo (09:13):
Well, there's another dollar in the swear jar
from.
from Matt Coles,
Matt Coles (09:17):
at least I didn't say pane of glass.
Chris Romeo (09:20):
or ShiftLeft, or any of my other,
Matt Coles (09:22):
Single pane
Chris Romeo (09:23):
of the other words that cause pain.
Matt Coles (09:26):
right.
So poor patch management.
Number five, not a configurationper se, unless it's automatic
updates we're talking about.
Chris Romeo (09:34):
Oh, I see what you're saying.
Izar Tarandach (09:35):
oh, oh, speaking of the word jar, so, is this one
talking about SBOMs?
Is it SBOM time?
Chris Romeo (09:44):
Please no.
Please stop.
Matt Coles (09:48):
Please
Izar Tarandach (09:52):
already?
Wait, do we have insufficientDAST anywhere?
Chris Romeo (09:56):
Oh man, this is...
Okay, so poor patch management,lack of regular patching, use of
unsupported operating systems.
To your point, this isn't aconfiguration unless it's an
automated thing.
This is just a point, this isn'tthe top 10 misconfigurations,
it's the top 10 problems
Izar Tarandach (10:13):
Yeah, true,
Chris Romeo (10:15):
It's a la so the, the, the misconfiguration would
be a lack of automated patchmanagement.
Cause that's something you couldchange.
You could turn it on or turn itoff.
Alright, good.
Six, bypass of system accesscontrols.
Wait a minute.
Matt Coles (10:28):
I'm not entirely sure this is a configuration
issue.
This is a, this is an activeattack kind of thing,
Izar Tarandach (10:32):
yeah, I would say that having system access
controls is the configuration ormisconfiguration,
Chris Romeo (10:39):
look at the first sentence there.
That's a threat.
The first sentence is a threat.
A malicious actor can bypasssystem access controls by
compromising alternateauthentication methods in an
environment.
I
Matt Coles (10:48):
okay, so there's the config, there's the
configuration problem, right?
If you, if, and it goes back tonumber one, if you have a
default, if the system's defaultconfiguration exposes insecure
protocols and you leave themopen, you're at risk to this
threat.
Right?
Number two, the second sentencehere, if a malicious actor can
collect hashes.
Well, how do they collecthashes?
You've left Lanman in your, inyour system, right?
(11:10):
Or NTLM or whatever.
Chris Romeo (11:11):
And that you're saying that's the lack, that's
the configuration problem or the
Matt Coles (11:14):
a configuration problem, right?
So you've missed configuration.
You've left insecure protocolsin place.
Izar Tarandach (11:20):
the whole item is just listing ways of
bypassing authentication.
Matt Coles (11:25):
Yeah, but they, they should, they should have taken
the, the statements and turned'em around in, in terms of, as a
systems, as a system designerand a system deployer don't
leave insecure configurationsbecause they'll allow malicious
actors to do X, Y, Z.
That's how it probably shouldhave been stated.
That's, I think, what theyintended to say.
But, but what they did was they,they took the attack first and
(11:46):
not the, not the cause.
Chris Romeo (11:47):
Yeah.
So then seven, weakermisconfigured MFA methods.
Matt Coles (11:54):
Oh.
Chris Romeo (11:55):
But listen where they start here.
Misconfigured smart cards ortokens.
Generally government or DoDnetworks.
So not really that applicable tothe average enterprise.
Like we don't use smart cardsanywhere.
At least I don't know anyone whouses smart cards.
Matt Coles (12:10):
Uh, some companies, well yeah, okay, maybe primarily
in government or DoD, but I, youknow, have high security
environments that do use this,use smart cards.
It's not unheard of, and peopleuse YubiKeys and other FIDO
tokens all the time.
Chris Romeo (12:24):
I mean, that's not a smart card though, right?
A YubiKeys,
Matt Coles (12:27):
It's a token.
Chris Romeo (12:28):
they're talking
Izar Tarandach (12:28):
a token, it's a...
Chris Romeo (12:29):
They're talking about CAC cards here from,
Matt Coles (12:31):
They are.
CAC and PIV, right,
Izar Tarandach (12:33):
are talking about tokens as well, so you
could think about FIDO and allthat
Matt Coles (12:37):
So if you have a, if you have a, a Google Titan, or
if you have a, uh, uh, aYubiKeys, right?
Those are, those are accesstokens.
Those are tokens that are inscope here.
What's interesting though, isthey don't start with not having
MFA in the first place.
They start with the assumptionthat you have MFA and it's
insecurely configured, not, youdon't have MFA.
Chris Romeo (12:58):
Well, that
Matt Coles (12:59):
one.
Chris Romeo (12:59):
Not having MFA, to our earlier discussion would not
be a misconfiguration.
Izar Tarandach (13:02):
Exactly, yeah,
Chris Romeo (13:03):
be a design problem.
So they, they kind of followedthe
Matt Coles (13:05):
unless it was a configuration option that you
could enable MFA that youdidn't.
Chris Romeo (13:09):
I see.
Izar Tarandach (13:10):
are assuming that you have it, but it's
misconfigured.
Matt Coles (13:12):
That's
Chris Romeo (13:13):
All right.
Now eight, we go back tonetwork.
Izar Tarandach (13:15):
No, no, wait, wait, wait, but before we go
there, then they jump to lack ofphishing resistant MFA.
Matt Coles (13:20):
Which is a configuration problem again.
Izar Tarandach (13:23):
is the configuration or is design of
the MFA, perhaps the MFAsolution is not good enough.
Matt Coles (13:28):
That's true if you have one to choose from, but if
you have multiples to choosefrom, and you don't enable,
again, the strongest oneavailable,
Izar Tarandach (13:37):
Oh, oh, no, sorry.
On, on upon reading.
They seem to be addressing, uh,MFA over SMS because they say
that exploitation of SignalingSystem 7 protocol
vulnerabilities and SIM swaptechniques is the problem.
Matt Coles (13:51):
right,
Chris Romeo (13:52):
So we agree with that.
I mean, we agree
Matt Coles (13:54):
if you have the option, if you have an option of
using one that
Izar Tarandach (13:56):
not a misconfiguration,
Matt Coles (13:58):
unless it's an option,
Chris Romeo (14:00):
Which a lot of times it is an option.
A lot of times it is an optionthese days between push
Izar Tarandach (14:05):
But again, wait.
Chris Romeo (14:06):
and text based,
Izar Tarandach (14:09):
If you have a choice between A or B, is that a
misconfiguration if you choosethe weaker of them?
Or is it a bad design choice?
Chris Romeo (14:21):
SMS based, or secure by default.
So
Matt Coles (14:23):
it's a bad default.
It's a bad default, which meansit's a design.
It's a configuration choice andit's a bad design in that you're
giving a poor choice.
Chris Romeo (14:34):
Yeah,
Matt Coles (14:35):
It's.
Izar Tarandach (14:35):
OK, you convinced me.
Chris Romeo (14:37):
all right, 8.
Insufficient ACLs on networkshares and services.
So now we're back to the networkagain.
Matt Coles (14:42):
Yeah, this is a configuration problem that most
definitely you've set the wrongACLs.
Chris Romeo (14:46):
we're just we're just we're saying this is a
misconfig and we're moving on.
Matt Coles (14:50):
Yep.
Chris Romeo (14:51):
All right, 9 says poor credential hygiene.
Izar Tarandach (14:56):
that's basically bad configuration of human
persons because,
Matt Coles (15:02):
Well, this is, this is password.
If you're using passwords andyou're not using MFA or if
you're using MFA with passwordsand you have crackable
passwords, that means you've seta weak password policy.
Right?
You haven't used 20 characterswith symbols, alphanumeric and
spaces.
Izar Tarandach (15:17):
Wait, wait, wait, we know that those
policies are not all that theyare hyped up to be, right?
Chris Romeo (15:23):
Yeah, I'm, I
Matt Coles (15:23):
But if you enforce a strong password policy...
Chris Romeo (15:25):
Mean, what is the new, it's NIST 800-63, right?
800-63 redefines passwordpolicies as, as what they should
be in a proper
Matt Coles (15:35):
Long, easy to remember, but hard to guess
passphrases that don't changefrequently.
Chris Romeo (15:39):
Not changeable, unless there's been a breach,
you don't have to change them.
Izar Tarandach (15:41):
And here they say that it's, if it's shorter
than 15 characters, then it'sbad.
Matt Coles (15:47):
And clear text password disclosure.
We talked about this earlierwith use of insecure protocols
that expose credentials on thewire.
Right?
But what, what's, I guessthat's, that's the, that's the
choosing of a bad credentialthat can be easily guessed or
reusing credentials and exposingit through insecure
(16:09):
configurations.
That's ultimately what it'sgetting to.
Izar Tarandach (16:13):
But again, is this a configuration thing?
I mean, the only configurationthat I can think of in here is
the size of the password, or thechoice of hashing
Chris Romeo (16:22):
yeah,
Izar Tarandach (16:23):
method
Chris Romeo (16:24):
there's, there's so much more they could have done.
Like even just referencing800-63 is.
The current standard of what Ithink of as the best practice.
Um, I don't, I don't think, Imean, if somebody is in this day
and age, if they're allowingshort passwords and non complex
passwords, then, shame onthem...
Matt Coles (16:46):
And then, and then they're, and then they talk
about password stealth held inclear text.
So this is not a configurationissue, right?
This is not
Izar Tarandach (16:52):
configuration.
Chris Romeo (16:53):
That's a design problem.
They,
Izar Tarandach (16:54):
I don't know any system that says would you like
to store your passwords in cleartext.
Oh, okay, I'm going to configureit this way.
Yay! Let's hope for the goodthings.
Chris Romeo (17:03):
All right, we got to pick up 10 here.
Unrestricted code execution.
So there's a, there's acondition at the top though.
If unverified programs areallowed to execute on hosts, a
threat actor, Oh, it sounds likea threat, can run arbitrary
malicious payloads within anetwork.
Matt Coles (17:17):
Yeah.
In my opinion, I don't know howyou can say that this is a
configuration issue unlessyou're running EDR,
Chris Romeo (17:23):
Well, can you, can you somehow force, like on
Windows, can you, is there aconfiguration setting to only
run things that are trustedbinaries?
Izar Tarandach (17:33):
you, you need stuff on top of it.
Matt Coles (17:36):
No, but you can't, you can have Windows fail to run
without prompting for UAC.
You could, right, or whateverit's called now.
Chris Romeo (17:43):
Yeah, they had a what, because it was their safe
list.
Didn't they build a safe listfeature years ago for
Matt Coles (17:48):
If it's not digitally signed, if it's not
digitally signed, you can,
Izar Tarandach (17:51):
and the certificate is good,
Matt Coles (17:53):
can do, you can do group policies to prevent this.
Izar Tarandach (17:56):
but unless it is a very, and I could be wrong
here because I'm not a Windowsperson, but unless it's a very
limited account.
You can just click on run itanyway.
Matt Coles (18:06):
Oh yeah, if you're, if you're running as admin, so
you're running with elevatedprivileges, that goes back to
the running with elevatedprivileges discussion,
Chris Romeo (18:12):
Enterprise application environment, not
everybody has admin, right?
And so, and I think that's wherethey're going.
Now, I don't know why you wouldturn off those protections in a
Windows environment.
Why would you turn off all ofthese things about safe listing
applications based on signaturesof binaries and things like
Izar Tarandach (18:32):
Because Joe from accounting absolutely needs to
be able to run that flash thingthat he has from 95.
So they have to lower thebarriers and give him more
Chris Romeo (18:46):
I guess.
Not in my world.
Not in my network.
I won't allow it.
So, all right.
Well, that was a fun littlequick pass through the NSA,
CISA, Red and Blue teams sharetop 10 cybersecurity
misconfigurations.
I think we kind of had some fungoing through there and pointing
(19:06):
out some things.
Izar's got the
Izar Tarandach (19:09):
it has to be said, it has to be said that we
value the effort.
We like that it came out and,uh, we just think that it could
be a bit more, I don't know,focused, defined,
Chris Romeo (19:24):
Could be tuned up a little bit to truly make it so
that it's clear how everythingis a misconfiguration.
Izar Tarandach (19:31):
right.
And the mitigations have goodstuff.
There's a lot to learn in thereas well and they have good
references.
So I think that all in all, 3out of 5 for the effort.
Chris Romeo (19:43):
yeah, yeah.
And it's, you know, they're,they're moving, they're moving
the industry forward.
It may not be perfect.
Nobody's ever going to beperfect and that's okay.
Cause there is no perfectsecurity.
Um, there is only reasonablesecurity and some of this is
reasonable and we'll leave itwith that.
Thanks folks.
Hey folks, welcome to another episode of the
security table.
This is an abridged episodebecause we're going to talk
really fast about something andhave kind of a shorter episode
here.
Joined by Izar and Matt andmyself, Chris Romeo, we're
always around the security tableand we're going to jump right
in.
So I am looking at this NSA andCISA red and blue team share top
(00:32):
10 cybersecuritymisconfigurations.
Let's pick up with number oneand get into it.
So default configurations ofsoftware and applications.
Do we, are we in favor of theseor are we against?
Matt Coles (00:47):
Well, so,
Izar Tarandach (00:47):
If you don't configure it right, then it's a
misconfiguration, then, uh,yeah, I guess it's pretty much
on the top ten.
Matt Coles (00:53):
Well, but I mean, this is, if we have, if we talk
about a default configuration,this is making an assumption
that the default is bad andtherefore, but, but you could
say the same thing abouteverything on this list.
If this is your default,
Izar Tarandach (01:06):
Oh, no, no, no, no, wait, wait, they go to
default credentials, meaningbasically the misconfiguration
here is that you are notchanging the default passwords,
which we know that absolutelynobody ever does, everybody
immediately goes and puts asafe, good password instead of
the default.
Chris Romeo (01:24):
I mean, that's why with default credentials, you
don't let people, you don't givethem the choice.
There is no default credential.
You don't have one.
You have them set a passwordwhen they're configuring the
device or whatever.
I wasn't going to name anynames.
It was supposed to be without
Izar Tarandach (01:39):
I didn't, I just had a thing
Chris Romeo (01:41):
yeah, you have a little sneeze
Matt Coles (01:43):
so on this list, there is no default.
I mean, unless you're talkingabout, about credential hygiene
or not, there is no defaultcredentials explicitly on this
list.
Izar Tarandach (01:53):
yeah,
Matt Coles (01:54):
But number one is a summary line.
It doesn't really need to be itsown number, because they have
put 11 on this list.
If your default configuration isinsecure, of course it's going
to be number one.
Chris Romeo (02:08):
Yeah.
Matt Coles (02:08):
but all of these other things are also,
Chris Romeo (02:11):
missing.
They're, they're mixing defaultcredentials here with poor
credential hygiene at numbernine.
So it doesn't make sense.
Why are these not combined?
Why would you have two separatethings here?
Matt Coles (02:20):
well, so poor credential hygiene could be two
things.
misconfiguration of yourpassword policies.
Or it could be lack of yourruntime behaviors around looking
at compromised credentials.
So in one case it's aconfiguration, in the other case
it's not a configuration.
So it's kind of a misleadingitem on this list.
Chris Romeo (02:39):
Okay.
Izar Tarandach (02:40):
one, one is what one is having the, the, the fact
that you shouldn't be able tokeep the default past setup.
And the second one is you reallyshould choose a good password
and you should store it right.
Chris Romeo (02:56):
how about
Izar Tarandach (02:57):
the thing that, just before we go there, the
thing that I have a problem withhere is that we start with
default configurations, which isa big thing, and then we funnel
into credentials andpermissions, which is a very,
very, a much smaller subset thandefault configurations.
Chris Romeo (03:13):
yeah.
Yeah, they talk about servicelevel permissions as well.
But look at two.
I think we're gonna love two.
It's basically the E in STRIDE.
Izar Tarandach (03:21):
I do, I do, but uh, I don't think it's a
misconfiguration.
I think it's usually more of adesign thing
Chris Romeo (03:27):
Ooh, good point.
Let's unpack that a little bit.
So why, why is this a designproblem and not a
misconfiguration?
Izar Tarandach (03:35):
because it, it Putting, putting it, I, I think
that lumping it together as amisconfiguration under this
title basically means you are,you are using accounts that have
way too much, too, way too muchprivileges than they should.
Right.
Which is not exactly a problemof a problem of separation.
(03:58):
It's a problem of the way thatyou design your system and you
are giving one, one account theability of being everything,
rather than saying we have thisset of accounts that's admin
accounts and we have this set ofaccounts that's user accounts.
Chris Romeo (04:12):
I think we have a context problem.
We're looking at this throughthe lens of AppSec and software
and ProdSec people.
I just took a closer look.
This says top 10 cybersecuritymisconfigurations.
So they're not specificallytalking about design, like
designing a web app.
They're talking about excessiveaccount privileges and elevated
service account permissions thatwould be part of an operating
(04:34):
Windows network in anenterprise.
Matt Coles (04:36):
Yeah, so let's talk about that
Izar Tarandach (04:38):
Aren't those applications?
Matt Coles (04:39):
Well, so think about number one, think about number
one in that context then.
Leaving the defaultconfiguration is the problem,
right?
by not changing theconfiguration to a secure state.
If it requires elevatingsecurity, and I will just, and
this is a lightning round here,but, you know, just think about
the, the CISA Secure by Design,Secure by Default guidelines
(05:02):
that came out recently inupdated form.
Secure by Default means comesecure.
And you have to weaken security.
We talk about loosening guides,but most of the time come
products and applicationapplications and software are
shipped in a defaultconfiguration is insecure and
leaving it in that insecureconfiguration state puts it the
(05:23):
number one on this list.
Number two is likewise.
Those things often ship with anadministrative account.
That administrative account maybe the only account that's
that's installed by default.
And people will use it foroperations when they shouldn't.
They should create, they shouldcreate an additional account,
non privileged, to be used for,for general purpose or something
(05:45):
that's view only for, formetrics and reporting purposes
or, or whatever.
And you should be separation ofthe, the application should
enforce separation of duties andusers of those applications
should reinforce that.
Chris Romeo (05:59):
All right.
So let's look at three.
I don't get this one.
Insufficient
Izar Tarandach (06:03):
four, actually,
Matt Coles (06:05):
What, you don't get this at all?
How do you, how do you, youcan't measure what you don't
know, right?
You can't defend what you don'thave
Chris Romeo (06:11):
yeah, but isn't everything encrypted in the
world we live in now?
How is, how can you monitoranything on a network that's not
Izar Tarandach (06:17):
Oh, no, no, no, no, no, no,
Chris Romeo (06:17):
just a bunch of TLS going back
Matt Coles (06:18):
packet inspection,
Izar Tarandach (06:19):
no, no, no, you can,
Matt Coles (06:19):
TLS offloading.
Izar Tarandach (06:21):
you can monitor for, for, uh, streams are not
predicted in your threat model.
So I know that these two thingsare expected to talk, but if I
see A talking to Z, all of asudden, oh wait, that's not
supposed to happen.
Matt Coles (06:36):
Right.
But also with TLS offloading anddeep packet inspection, I mean,
once you're, yes, we're supposedto be in a world of zero trust,
right, where systems are goingto be on island unto themselves.
But traditionally, you know,there's a network boundary where
you may terminate TLS at thenetwork boundary and then
everything within it can be deeppacket inspected and monitored
(06:57):
for the traffic.
And if you don't do that, thenyou're potentially leaving
yourself at risk.
Chris Romeo (07:02):
I mean, can you do that at the speed of an
enterprise network though?
Can you, I mean, we're talking
Izar Tarandach (07:09):
if you use mirror traffic,
Chris Romeo (07:11):
in a 10 gig connection, you can decrypt all
of that TLS traffic
Matt Coles (07:16):
With hardware, with hardware decryption.
Yeah, yeah.
With hardware decryption.
Absolutely.
Izar Tarandach (07:20):
you can.
Chris Romeo (07:22):
Okay.
Wow.
Izar Tarandach (07:23):
But the thing
Chris Romeo (07:24):
The world of computing has gotten further.
Izar Tarandach (07:26):
that, the thing that's sort of bothering me here
is that we jumped fromconfiguration of actual stuff
and how you use stuff to all ofa sudden on three and four we
are looking at networks.
Chris Romeo (07:41):
And This is designed too.
It
Izar Tarandach (07:43):
And many times it's not the same people who do
both things.
So who's the public for thisthing here?
Matt Coles (07:48):
I guess it's misleading.
It's misleading because it's nota configuration.
It's, it's,
Chris Romeo (07:53):
It is.
It is a configuration.
Be when, because you could, Imean, whenever, whenever you de,
whenever you de you designed,when you go to implement it, it
is, you are configuring yournetwork monitoring tools in an
insufficient way.
Izar Tarandach (08:07):
Well, you configure it because it has to
be configured to be, to be ofuse, but it's not a
configuration problem of theenvironment or the system or the
whatever.
Fair.
Matt Coles (08:17):
We're nit-picking on words at this point.
Chris Romeo (08:19):
Yeah, let's, let's keep, but to your earlier point
about design, there is a designelement to, if you properly
design your network monitoring,you don't have insufficient
network monitoring.
And so
Matt Coles (08:31):
And by the way, and by the way, for four, with
software defined networking,this is absolutely a
configuration issue,
Chris Romeo (08:37):
and four, just for the record, is lack of network
segmentation.
Matt Coles (08:41):
right?
So having
Izar Tarandach (08:42):
could be architecture.
Matt Coles (08:44):
it is, it is an architecture and it may
Izar Tarandach (08:47):
architecture now is configuration.
Matt Coles (08:51):
oh, we could have an episode alone on that one.
Izar Tarandach (08:53):
I dare you.
I dare you to go to an architectand say What you do is
configuration.
I dare you,
Chris Romeo (08:59):
Yeah, you're, you're change management now,
friend.
That's what you do.
It's
Matt Coles (09:03):
Wait, isn't that, isn't that Dev, isn't that
DevOps?
Isn't that what DevOps andDevSecOps is all about?
Chris Romeo (09:08):
What?
Izar Tarandach (09:09):
And he just said the quiet part loud.
Chris Romeo (09:13):
Well, there's another dollar in the swear jar
from.
from Matt Coles,
Matt Coles (09:17):
at least I didn't say pane of glass.
Chris Romeo (09:20):
or ShiftLeft, or any of my other,
Matt Coles (09:22):
Single pane
Chris Romeo (09:23):
of the other words that cause pain.
Matt Coles (09:26):
right.
So poor patch management.
Number five, not a configurationper se, unless it's automatic
updates we're talking about.
Chris Romeo (09:34):
Oh, I see what you're saying.
Izar Tarandach (09:35):
oh, oh, speaking of the word jar, so, is this one
talking about SBOMs?
Is it SBOM time?
Chris Romeo (09:44):
Please no.
Please stop.
Matt Coles (09:48):
Please
Izar Tarandach (09:52):
already?
Wait, do we have insufficientDAST anywhere?
Chris Romeo (09:56):
Oh man, this is...
Okay, so poor patch management,lack of regular patching, use of
unsupported operating systems.
To your point, this isn't aconfiguration unless it's an
automated thing.
This is just a point, this isn'tthe top 10 misconfigurations,
it's the top 10 problems
Izar Tarandach (10:13):
Yeah, true,
Chris Romeo (10:15):
It's a la so the, the, the misconfiguration would
be a lack of automated patchmanagement.
Cause that's something you couldchange.
You could turn it on or turn itoff.
Alright, good.
Six, bypass of system accesscontrols.
Wait a minute.
Matt Coles (10:28):
I'm not entirely sure this is a configuration
issue.
This is a, this is an activeattack kind of thing,
Izar Tarandach (10:32):
yeah, I would say that having system access
controls is the configuration ormisconfiguration,
Chris Romeo (10:39):
look at the first sentence there.
That's a threat.
The first sentence is a threat.
A malicious actor can bypasssystem access controls by
compromising alternateauthentication methods in an
environment.
I
Matt Coles (10:48):
okay, so there's the config, there's the
configuration problem, right?
If you, if, and it goes back tonumber one, if you have a
default, if the system's defaultconfiguration exposes insecure
protocols and you leave themopen, you're at risk to this
threat.
Right?
Number two, the second sentencehere, if a malicious actor can
collect hashes.
Well, how do they collecthashes?
You've left Lanman in your, inyour system, right?
(11:10):
Or NTLM or whatever.
Chris Romeo (11:11):
And that you're saying that's the lack, that's
the configuration problem or the
Matt Coles (11:14):
a configuration problem, right?
So you've missed configuration.
You've left insecure protocolsin place.
Izar Tarandach (11:20):
the whole item is just listing ways of
bypassing authentication.
Matt Coles (11:25):
Yeah, but they, they should, they should have taken
the, the statements and turned'em around in, in terms of, as a
systems, as a system designerand a system deployer don't
leave insecure configurationsbecause they'll allow malicious
actors to do X, Y, Z.
That's how it probably shouldhave been stated.
That's, I think, what theyintended to say.
But, but what they did was they,they took the attack first and
(11:46):
not the, not the cause.
Chris Romeo (11:47):
Yeah.
So then seven, weakermisconfigured MFA methods.
Matt Coles (11:54):
Oh.
Chris Romeo (11:55):
But listen where they start here.
Misconfigured smart cards ortokens.
Generally government or DoDnetworks.
So not really that applicable tothe average enterprise.
Like we don't use smart cardsanywhere.
At least I don't know anyone whouses smart cards.
Matt Coles (12:10):
Uh, some companies, well yeah, okay, maybe primarily
in government or DoD, but I, youknow, have high security
environments that do use this,use smart cards.
It's not unheard of, and peopleuse YubiKeys and other FIDO
tokens all the time.
Chris Romeo (12:24):
I mean, that's not a smart card though, right?
A YubiKeys,
Matt Coles (12:27):
It's a token.
Chris Romeo (12:28):
they're talking
Izar Tarandach (12:28):
a token, it's a...
Chris Romeo (12:29):
They're talking about CAC cards here from,
Matt Coles (12:31):
They are.
CAC and PIV, right,
Izar Tarandach (12:33):
are talking about tokens as well, so you
could think about FIDO and allthat
Matt Coles (12:37):
So if you have a, if you have a, a Google Titan, or
if you have a, uh, uh, aYubiKeys, right?
Those are, those are accesstokens.
Those are tokens that are inscope here.
What's interesting though, isthey don't start with not having
MFA in the first place.
They start with the assumptionthat you have MFA and it's
insecurely configured, not, youdon't have MFA.
Chris Romeo (12:58):
Well, that
Matt Coles (12:59):
one.
Chris Romeo (12:59):
Not having MFA, to our earlier discussion would not
be a misconfiguration.
Izar Tarandach (13:02):
Exactly, yeah,
Chris Romeo (13:03):
be a design problem.
So they, they kind of followedthe
Matt Coles (13:05):
unless it was a configuration option that you
could enable MFA that youdidn't.
Chris Romeo (13:09):
I see.
Izar Tarandach (13:10):
are assuming that you have it, but it's
misconfigured.
Matt Coles (13:12):
That's
Chris Romeo (13:13):
All right.
Now eight, we go back tonetwork.
Izar Tarandach (13:15):
No, no, wait, wait, wait, but before we go
there, then they jump to lack ofphishing resistant MFA.
Matt Coles (13:20):
Which is a configuration problem again.
Izar Tarandach (13:23):
is the configuration or is design of
the MFA, perhaps the MFAsolution is not good enough.
Matt Coles (13:28):
That's true if you have one to choose from, but if
you have multiples to choosefrom, and you don't enable,
again, the strongest oneavailable,
Izar Tarandach (13:37):
Oh, oh, no, sorry.
On, on upon reading.
They seem to be addressing, uh,MFA over SMS because they say
that exploitation of SignalingSystem 7 protocol
vulnerabilities and SIM swaptechniques is the problem.
Matt Coles (13:51):
right,
Chris Romeo (13:52):
So we agree with that.
I mean, we agree
Matt Coles (13:54):
if you have the option, if you have an option of
using one that
Izar Tarandach (13:56):
not a misconfiguration,
Matt Coles (13:58):
unless it's an option,
Chris Romeo (14:00):
Which a lot of times it is an option.
A lot of times it is an optionthese days between push
Izar Tarandach (14:05):
But again, wait.
Chris Romeo (14:06):
and text based,
Izar Tarandach (14:09):
If you have a choice between A or B, is that a
misconfiguration if you choosethe weaker of them?
Or is it a bad design choice?
Chris Romeo (14:21):
SMS based, or secure by default.
So
Matt Coles (14:23):
it's a bad default.
It's a bad default, which meansit's a design.
It's a configuration choice andit's a bad design in that you're
giving a poor choice.
Chris Romeo (14:34):
Yeah,
Matt Coles (14:35):
It's.
Izar Tarandach (14:35):
OK, you convinced me.
Chris Romeo (14:37):
all right, 8.
Insufficient ACLs on networkshares and services.
So now we're back to the networkagain.
Matt Coles (14:42):
Yeah, this is a configuration problem that most
definitely you've set the wrongACLs.
Chris Romeo (14:46):
we're just we're just we're saying this is a
misconfig and we're moving on.
Matt Coles (14:50):
Yep.
Chris Romeo (14:51):
All right, 9 says poor credential hygiene.
Izar Tarandach (14:56):
that's basically bad configuration of human
persons because,
Matt Coles (15:02):
Well, this is, this is password.
If you're using passwords andyou're not using MFA or if
you're using MFA with passwordsand you have crackable
passwords, that means you've seta weak password policy.
Right?
You haven't used 20 characterswith symbols, alphanumeric and
spaces.
Izar Tarandach (15:17):
Wait, wait, wait, we know that those
policies are not all that theyare hyped up to be, right?
Chris Romeo (15:23):
Yeah, I'm, I
Matt Coles (15:23):
But if you enforce a strong password policy...
Chris Romeo (15:25):
Mean, what is the new, it's NIST 800-63, right?
800-63 redefines passwordpolicies as, as what they should
be in a proper
Matt Coles (15:35):
Long, easy to remember, but hard to guess
passphrases that don't changefrequently.
Chris Romeo (15:39):
Not changeable, unless there's been a breach,
you don't have to change them.
Izar Tarandach (15:41):
And here they say that it's, if it's shorter
than 15 characters, then it'sbad.
Matt Coles (15:47):
And clear text password disclosure.
We talked about this earlierwith use of insecure protocols
that expose credentials on thewire.
Right?
But what, what's, I guessthat's, that's the, that's the
choosing of a bad credentialthat can be easily guessed or
reusing credentials and exposingit through insecure
(16:09):
configurations.
That's ultimately what it'sgetting to.
Izar Tarandach (16:13):
But again, is this a configuration thing?
I mean, the only configurationthat I can think of in here is
the size of the password, or thechoice of hashing
Chris Romeo (16:22):
yeah,
Izar Tarandach (16:23):
method
Chris Romeo (16:24):
there's, there's so much more they could have done.
Like even just referencing800-63 is.
The current standard of what Ithink of as the best practice.
Um, I don't, I don't think, Imean, if somebody is in this day
and age, if they're allowingshort passwords and non complex
passwords, then, shame onthem...
Matt Coles (16:46):
And then, and then they're, and then they talk
about password stealth held inclear text.
So this is not a configurationissue, right?
This is not
Izar Tarandach (16:52):
configuration.
Chris Romeo (16:53):
That's a design problem.
They,
Izar Tarandach (16:54):
I don't know any system that says would you like
to store your passwords in cleartext.
Oh, okay, I'm going to configureit this way.
Yay! Let's hope for the goodthings.
Chris Romeo (17:03):
All right, we got to pick up 10 here.
Unrestricted code execution.
So there's a, there's acondition at the top though.
If unverified programs areallowed to execute on hosts, a
threat actor, Oh, it sounds likea threat, can run arbitrary
malicious payloads within anetwork.
Matt Coles (17:17):
Yeah.
In my opinion, I don't know howyou can say that this is a
configuration issue unlessyou're running EDR,
Chris Romeo (17:23):
Well, can you, can you somehow force, like on
Windows, can you, is there aconfiguration setting to only
run things that are trustedbinaries?
Izar Tarandach (17:33):
you, you need stuff on top of it.
Matt Coles (17:36):
No, but you can't, you can have Windows fail to run
without prompting for UAC.
You could, right, or whateverit's called now.
Chris Romeo (17:43):
Yeah, they had a what, because it was their safe
list.
Didn't they build a safe listfeature years ago for
Matt Coles (17:48):
If it's not digitally signed, if it's not
digitally signed, you can,
Izar Tarandach (17:51):
and the certificate is good,
Matt Coles (17:53):
can do, you can do group policies to prevent this.
Izar Tarandach (17:56):
but unless it is a very, and I could be wrong
here because I'm not a Windowsperson, but unless it's a very
limited account.
You can just click on run itanyway.
Matt Coles (18:06):
Oh yeah, if you're, if you're running as admin, so
you're running with elevatedprivileges, that goes back to
the running with elevatedprivileges discussion,
Chris Romeo (18:12):
Enterprise application environment, not
everybody has admin, right?
And so, and I think that's wherethey're going.
Now, I don't know why you wouldturn off those protections in a
Windows environment.
Why would you turn off all ofthese things about safe listing
applications based on signaturesof binaries and things like
Izar Tarandach (18:32):
Because Joe from accounting absolutely needs to
be able to run that flash thingthat he has from 95.
So they have to lower thebarriers and give him more
Chris Romeo (18:46):
I guess.
Not in my world.
Not in my network.
I won't allow it.
So, all right.
Well, that was a fun littlequick pass through the NSA,
CISA, Red and Blue teams sharetop 10 cybersecurity
misconfigurations.
I think we kind of had some fungoing through there and pointing
(19:06):
out some things.
Izar's got the
Izar Tarandach (19:09):
it has to be said, it has to be said that we
value the effort.
We like that it came out and,uh, we just think that it could
be a bit more, I don't know,focused, defined,
Chris Romeo (19:24):
Could be tuned up a little bit to truly make it so
that it's clear how everythingis a misconfiguration.
Izar Tarandach (19:31):
right.
And the mitigations have goodstuff.
There's a lot to learn in thereas well and they have good
references.
So I think that all in all, 3out of 5 for the effort.
Chris Romeo (19:43):
yeah, yeah.
And it's, you know, they're,they're moving, they're moving
the industry forward.
It may not be perfect.
Nobody's ever going to beperfect and that's okay.
Cause there is no perfectsecurity.
Um, there is only reasonablesecurity and some of this is
reasonable and we'll leave itwith that.
Thanks folks.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.