The agency discusses the most popular ways hackers use to break into victims’ networks and gives advice on how to reduce the risk.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a press advisory stating that cybercriminals have taken advantage of users’ “poor security configurations, weak controls and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system.In addition, the agency, as part of the statement, reviews the 10 most common ways hackers hack into networks and the methods hackers companies can use to help mitigate the risk of potential attacks.
10 Most Common Cyber Attack Vectors
According to CISA’s findings, the following approaches are most commonly used by hackers to gain access to a user’s or organization’s networks and/or systems:
- Multi-factor authentication (MFA) is not enforced
- Incorrectly applied privileges or permissions and errors in access control lists
- The software is not up to date
- Using vendor-provided default configurations or default login usernames and passwords
- Remote Services lacking sufficient controls to prevent unauthorized access
- Strong password policies are not implemented
- Cloud services are not protected
- Open ports and misconfigured services exposed to the internet
- Failure to detect or block phishing attempts
- Poor endpoint detection and response
“As the lists go, this one is very good and lists the most common reasons why organizations fall victim to cyberattacks,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “By following CISA’s recommendations, organizations can significantly improve their security posture and resilience to cyberattacks. That said, many of these elements can be difficult to implement, especially in organizations that don’t already have a strong cybersecurity culture. It’s also difficult for an organization without an existing culture to know where to start.
As seen with many of these attack vectors, most are due to user or organizational error. In order to best prevent cybercriminals from gaining access to the system or network in question, it is recommended that the user or organization managing the device always follow best practices for protection against potential cyberattacks.
Roger Grimes, data-driven defense evangelist at KnowBe4, has a different take on the advisory, noting that CISA does not highlight the areas that users and businesses need to be most aware of.
“Unfortunately, like most of these types of warnings, this doesn’t tell readers one big truth they need to know, and that is that phishing and social engineering are 50% to 90% of the problem,” Grimes said. “Like most warnings, it mentions phishing and social engineering almost in passing. None of the mitigations mention addressing phishing or social engineering attacks, such as better training employees to recognize and defeating phishing attacks Social engineering is by far the biggest threat, but it’s barely mentioned, so no one reading the document would know that defeating it is the best thing you can do.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
CISA tips for mitigating risk factors
In addition to CISA publishing the top 10 attack vectors for cybercriminals, the agency also included the following suggestions for those who might be targeted by hackers:
- Control access with zero-trust security
- Implement credential hardening by implementing MFA
- Implement centralized log management
- Use anti-virus programs
- Use detection tools and search for vulnerabilities
- Maintain rigorous configuration management programs
- Launch a software and patch management program
Although some of these tips may seem obvious to IT professionals, such as using anti-virus software, detection tools, and updating software with patches, some of these tips may be more difficult to actively put into practice, especially for small businesses. An example raised by Clements is CISA’s insistence on using a zero-trust model. In the notice, the agency does not examine how an organization would go about it from scratch, and only touches on the superficial benefits of doing so.
“The list of mitigations starts with ‘Adopting a zero-trust security model.’ Zero-trust can be an incredibly effective approach to network defense, but can also be a significant undertaking to implement,” said Clements. “This is especially true for organizations with large environments, legacy dependencies, or limited resources for staff or budget. As such, it is essential that every organization adopts a true culture of security to assess its individual risk, what best practices can be implemented quickly and form a short and long term defense strategy. [security operations center] is a great thing to have, but not all organizations will have the resources to build and staff their own.
While the advisory goes into quite a bit of detail on how these tips can help avoid being the next victim of a cyberattack, it’s ultimately up to the company and its executives to determine how best to to carry out these initiatives.