10.18.23 > Paul Veeneman

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are two pivotal entities in the U.S. responsible for maintaining the nation’s security and resilience against cyber threats. The NSA is largely tasked with global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes. On the other hand, CISA defends the nation’s critical infrastructure from both physical and cyber threats, helping to ensure the security, integrity, and resilience of the nation’s critical infrastructure systems and networks. Both agencies collaborate to provide guidance and strategies to protect against evolving cyber threats.

From the perspective of both the NSA and CISA, cybersecurity is an expansive field that requires a proactive and comprehensive approach. It encompasses the protection of the nation’s critical infrastructure systems and networks against cyber threats and vulnerabilities. This includes areas such as identity and access management, vulnerability and patch management, systematic auditing, and monitoring of systems and networks. It also involves the implementation of multifactor authentication, single sign-on systems, and automated detection and response mechanisms. Essentially, cybersecurity is about implementing a layered defense strategy, which includes isolating and segmenting critical assets, and monitoring activity between applications, systems, and the associated network traffic. It’s about ensuring the confidentiality, integrity, and availability of data by fortifying the nation’s cyber infrastructure against both domestic and foreign threats.

The Role of NSA and CISA in Cybersecurity: Remember – It’s Guidance

NSA and CISA contribute significantly to cybersecurity through their guidance and strategies. They provide crucial intelligence, threat detection, and protection to the nation’s critical infrastructure. Both organizations advocate for a comprehensive approach to cybersecurity that includes identity and access management, vulnerability and patch management, and systematic auditing and monitoring of systems and networks.

However, it’s important to note that while NSA and CISA provide strong leadership and guidance in the cybersecurity realm, their influence and authority have limitations in certain industries. For instance, the private sector, which includes companies in various industries such as manufacturing, finance, and healthcare, often operate outside the direct regulatory control of NSA and CISA. While these agencies can provide recommendations and best practices, they cannot enforce compliance. Moreover, they rely on voluntary information sharing from these industries to gain a comprehensive view of the threat landscape. Therefore, the effectiveness of these agencies in improving the cybersecurity posture of these sectors is dependent on the extent of collaboration and cooperation from these industries.

Overview of Cybersecurity Misconfigurations

Cybersecurity misconfigurations represent a typical, albeit avoidable, risk that can have serious consequences. They occur when security settings are set up incorrectly, often leaving systems exposed or poorly protected. These misconfigurations might be as simple as leaving default passwords in place, failing to apply patches in a timely manner, or mismanaging user access permissions. The negative impacts of such oversights can be far-reaching. In the best-case scenario, a misconfiguration might result in a minor disruption to business operations. However; if exploited by a malicious actor, it could lead to data breaches, system downtime, reputation damage, regulatory penalties, or even financial loss. Furthermore, the process of resolving these issues can be costly and time-consuming, particularly if they’re identified late. Thus, proper configuration of security settings is a critical aspect of a robust cybersecurity strategy.

In the real world, we’ve seen a few notable examples of the consequences of security misconfigurations. In 2017, a misconfigured AWS S3 bucket exposed the personal information of nearly 198 million American voters. The data was publicly accessible for days before the error was identified and corrected. The incident highlights how a simple oversight can potentially lead to a massive data leak, compromising the privacy of millions.

Another example is the infamous Equifax data breach in 2017, where hackers exploited a known vulnerability in Apache Struts, a framework used for building Java applications. The company had failed to apply the necessary patch, resulting in a misconfiguration that left their systems exposed. The breach resulted in the theft of personal information of nearly 147 million people, leading to a hefty fine of $575 million and colossal reputation damage. These incidents underscore the importance of diligent vulnerability and patch management as part of a comprehensive cybersecurity strategy.

Top 10 Cybersecurity Misconfigurations According to NSA and CISA

  1. Uncontrolled Cloud Storage: Data stored in the cloud without proper access controls can be easily exploited.
  1. Inadequate Network Segmentation: When networks are not segmented properly, threats can spread more easily.
  1. Unrestricted Admin Privileges: Unnecessary admin privileges can lead to accidental or malicious changes.
  1. Lack of Regular Software Updates: Out-of-date software is an easy target for cyber-attacks.
  1. Weak Password Policies: Simple, common, or unchanged passwords increase vulnerability.
  1. Using Default Configurations: Default settings are well-known, making systems easier to breach.
  1. Unsecured Remote Desktop Protocol (RDP) Connections: If not secured correctly, RDP can provide an easy entry for threats.
  1. Absence of Multi-Factor Authentication (MFA): MFA dramatically improves account security by requiring multiple forms of proof of identity.
  1. Inadequate Log Management: Without proper logging, detecting and investigating attacks becomes difficult.
  1. Lack of Regular Backups: Regular backups are essential to recover from a cyber-attack.

Let’s Drill Down on Two Critical Aspects

Identity and Access Management

Identity and Access Management (IAM) is the cornerstone of cyber security, making sure the right people have the right access to the right resources at the right time. The recent guidance released by NSA and CISA emphasizes the importance of implementing robust IAM practices. These include multifactor authentication and single sign-on for enhancing security while maintaining user convenience. The guidance also outlines the significance of auditing and monitoring to track user activities, detect potential security threats, and respond swiftly. Furthermore, it calls for prudent management of privileged accounts due to their high-risk nature, advocating for behavioral monitoring of such accounts. Lastly, it stresses the importance of isolation and segmentation of critical assets and stringent monitoring of activity between applications, systems and the associated network traffic.

According to NSA and CISA guidance, identity and access management is crucial in mitigating cybersecurity misconfigurations. Two of the top 10 misconfigurations directly relate to identity and access management: Unrestricted Admin Privileges and Absence of Multi-Factor Authentication (MFA).

Unrestricted Admin Privileges: This aspect amplifies the potential for damage, as it can lead to accidental or malicious changes that could compromise the security of the entire system. The guidance emphasizes the need to grant admin privileges judiciously and monitor their use closely.

Absence of Multi-Factor Authentication (MFA): This is another significant misconfiguration. MFA greatly enhances account security by requiring multiple forms of proof of identity before granting access. Its absence weakens defenses by relying solely on passwords, which can be breached or guessed. Implementing MFA is a vital step in reducing vulnerability to cyberattacks.

Information Systems and Critical Asset Management

NSA and CISA have also provided insights on the aspect of understanding the importance of maintaining the integrity of critical assets and information systems. The agencies strongly advocate for rigorous asset management practices to enhance the security of vital information systems. They recommend a detailed inventory of all digital assets, including hardware and software components, to help identify potential vulnerabilities and ensure timely patch management.

Critical assets, due to their significant role in the functioning of a system or organization, require additional protective measures. The guidance highlights the necessity of isolation and segmentation of these assets to mitigate the risk of a broad system compromise in the event of a security breach. Moreover, it calls for the monitoring of all activity between applications, systems, and the associated network traffic to swiftly detect and react to any anomalies, reinforcing the security of critical assets and the entire information system as a whole.

The NSA and CISA guidance underscore the importance of effective Information Systems and Critical Asset Management in mitigating cybersecurity misconfigurations. It highlights that a lack of knowledge about the organization’s network and the absence of an accurate and complete software inventory are among the top 10 misconfigurations that increase vulnerability to cyber-attacks. Information Systems management includes having an accurate inventory of software, as well as ensuring all software is up-to-date with patches. Critical Asset Management, on the other hand, involves knowing and managing all network-connected devices, especially those housing sensitive information. In the absence of such management, it is impossible to fully secure assets, as unknown or unmanaged assets can easily become entry points for cyber threats.

The Gaps Between “Guidance” & Your Organization’s Specific Needs

The NSA and CISA guidance on Identity and Access Management, MFA, and SSO offer valuable insights and recommendations for organizations looking to strengthen their security practices and mitigate cyber risks and threats. In today’s ever-evolving digital landscape, the importance of cybersecurity standards and guidance from CISA and NSA, as well as guidance from other national and international entities, such as ISO 27001, ISA/IEC 62443, SOC2 and NIST cannot be understated. However; it is crucial to recognize that these frameworks alone are not a panacea for ensuring resilience against cyber threats and risk.

International standards such as ISO 27001 and ISA/IEC 62443 play a crucial role in ensuring the security of information systems and operational technology for organizations, entities, and the larger scope of critical infrastructure. SOC2 process attestation, on the other hand, is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA) assesses the effectiveness of an organization’s controls related to security, availability, processing integrity, confidentiality, and privacy. Lastly, NIST cybersecurity guidance for government and nonfederal organizations, provides a comprehensive framework for managing and mitigating cybersecurity risks, offering guidelines and best practices that can be adopted to enhance resilience and security posture.

Leaders, stakeholders, and decision-makers must take an active role in “filling in the gaps” specific to their organizations and the unique risks they face. While CISA and NSA directives, national and international standards provide a foundation, it is the responsibility of these individuals to adapt and implement the necessary measures to safeguard critical data and assets effectively. By combining the guidance offered by these agencies and standards bodies with a proactive and tailored approach, organizations can create a comprehensive security strategy that aligns with their specific needs, mitigating risks, and creating the resilience needed in the today’s digital cyber landscape.



PAUL VEENEMAN > Secretary of the Board, MN ISSA

With over 27 years of experience across various industries including Finance, Oil and Gas, Healthcare and Manufacturing, Paul has been actively working within the Nation’s critical infrastructure, addressing challenges, providing guidance, insight and innovation in Operations Technology, Industrial Controls, IoT, IIoT, SCADA cyber security knowledge, expertise, and education.  Paul currently holds the CISSP, CISM, and CRISC certifications, and serves on several boards, including the local Minnesota chapters of InfraGard, the Information Systems Security Association (ISSA), and the International Society of Automation (ISA).

Click for Paul’s Recent Blog Feature

Connect with Paul on LinkedIn