Top 5 Weakest Security Configurations and How to Fix Them

By: The Center for Internet Security, Inc. (CIS®) Cyber Threat Intelligence (CTI) team

Published December 30, 2024

In the latter half of 2024, the Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team found multiple high-risk vulnerabilities and insecure configurations through passive scans of customers’ external networks. The most noteworthy of these findings included:

1. Vulnerable versions of SonicWall OS
2. Running end-of-life products
3. Internet-Exposed Remote Desktop Protocol (RDP) and Server Message Block (SMB)
4. Exposed databases
5. Failure to remediate existing compromise

It is critical to address these issues by keeping your software updated, using secure configurations such as by implementing the CIS Benchmarks™, and engaging services such as the CIS Security Operations Center (SOC), Cyber Incident Response Team (CIRT), and CIS Red Team, as appropriate. In this blog post, we'll analyze these issues with the aim of helping your technical staff harden your organization's configurations.

Note: CIS sent notifications to the individual organizations observed in our data. We encourage you to check your networks, as passive profiling often produces false negatives.

1. Vulnerable Versions of SonicWall OS

On August 23, 2024, SonicWall published an advisory for CVE-2024-40766, an improper access control vulnerability with a CVSS score of 9.8 that impacts SonicWall firewalls. This vulnerability can give cyber threat actors (CTAs) unauthorized resource access and enable them to crash the firewall. CISA observed exploitation of this vulnerability in the wild; additional reporting indicated that Akira ransomware affiliates were exploiting it, often for initial access. Researchers noted that multi-factor authentication (MFA) was disabled in all observed instances of Akira exploiting this vulnerability.

Recommendations

• Keep all software updated to the latest secure version. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Eligible organizations who provide their external IPs to CIS may receive notifications when we observe potentially vulnerable software on their network. (See CIS Critical Security Control 7: Continuous Vulnerability Management.)
• Receive regular vulnerability scans and penetration tests from a qualified red team, such as the CIS Red Team. (See CIS Critical Security Control 18: Penetration Testing.)

2. Running End-of-Life Products

End-of-life products are products no longer supported and updated by their developers. Any vulnerabilities impacting these products will not be patched. According to a CIS passive vulnerability scan, 91% of the devices running end-of-life products were vulnerable to CVEs, including some vulnerabilities with a CVSS of 10. This score indicates the potential for severe impact, such as unauthenticated remote code execution. What's more, 84% of the vulnerabilities were at least two years old, with many over 15 years old.

Internet-Facing devices with major vulnerabilities lacking patches don't just create ample opportunity for CTAs to compromise a network. They also increase the potential severity of the attack. Data collected by IBM indicates that the average cost of a breach caused by unpatched software between March 2023 and February 2024 was $4.33 million.

Recommendations

• Implement secure configurations, such as those set forth in the CIS Benchmarks. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Keep all software updated to the latest secure version. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Eligible organizations who provide their external IPs to CIS may receive notifications when we observe potentially vulnerable software on their network. (See CIS Critical Security Control 7: Continuous Vulnerability Management.)
• Receive regular vulnerability scans and penetration tests from a qualified red team, such as the CIS Red Team. (See CIS Critical Security Control 18: Penetration Testing.)
• Maintain an inventory of all assets. (See CIS Critical Security Control 2: Inventory and Control of Software Assets.)

3. Internet-Exposed RDP and SMB

Remote Desktop Protocol (RDP) and Server Message Block (SMB) exposed on the internet present a great risk to enterprise security and an opportunity for CTAs. RDP allows smooth, seamless, and widely available remote access and offers an appealing target for CTAs, with reports indicating that RDP traffic comprises 37% of all threat actor traffic. Meanwhile, CTAs commonly target SMB for similar reasons and often leverage malicious SMB access for lateral movement and file transfer.

CIS’s passive vulnerability scan discovered devices across customer networks that allowed RDP and SMB connections from the internet. These could easily lead to compromise through exploitation of vulnerabilities or credential attacks. Furthermore, some of these devices enabled anonymous access to SMB, which could expose the customer without additional exploitation by a CTA.

Recommendations

• Do not allow access to SMB and RDP over the open internet. (See CIS Critical Security Control 12: Network Infrastructure Management.)
• Require remote users to access SMB and RDP over a Virtual Private Network (VPN).
• Mandate Multi-Factor Authentication (MFA) for SMB and RDP. (See CIS Critical Security Control 14: Security Awareness and Skills Training.)
• Keep SMB and RDP updated to the latest secure version. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Eligible organizations who provide their external email domains to CIS can be enrolled in our Breached Credential Service and receive notifications when CIS observes credentials associated with your organization in breaches. (See CIS Critical Security Control 5: Account Management.)
• Use secure configurations, such as through implementing the CIS Benchmarks. (See CIS Control 4: Secure Configuration of Enterprise Assets and Software.)

4. Exposed Databases

Databases are among the most sought-after targets for threat actors since they often contain sensitive information. It is therefore critical to ensure that only authorized users can access integral databases. The CIS CTI team identified databases accessible over the open internet on CIS customers’ networks, including some that did not require a user account to view. Even databases that do require a login are often accessible either through breached credentials or exploitation of a vulnerability. Once a CTA accesses the database, they can exfiltrate the data to leak, sell, or leverage the information for further malicious activity.

Recommendations

• Keep all software updated to the latest secure version. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Require remote users to access databases over a VPN.
• Eligible organizations who provide their external email domains to CIS can be enrolled in our Breached Credential Service and receive notifications when CIS observes credentials associated with your organization in breaches. (See CIS Critical Security Control 5: Account Management.)
• Use secure configurations, such as those recommended in the CIS Benchmarks. (See CIS Critical Security Control 4: Secure Configuration of Enterprise Assets and Software.)
• Limit database access to clients with proper authorization and access control. (See CIS Critical Security Control 12: Network Infrastructure Management).

5. Failure to Remediate Existing Compromise

Finally, the CIS CTI team identified devices that appeared to have an ongoing compromise. These machines were identified by searching for services that matched signatures for instances of Cobalt Strike, web shells, and other malicious software. Detecting compromise promptly is important because longer response times typically lead to increased remediation costs. According to IBM's 2024 report, the average data breach took 258 days to identify and contain between March 2023 and February 2024, but breaches that took over 200 days to contain were 34% more expensive than breaches that were contained in under 200 days during that same time period.

Recommendations

• Leverage a Security Operation Center, such as the 24x7x365 CIS SOC, to monitor for potential compromises in real time. (See CIS Critical Security Control 13: Network Monitoring and Defense.)
• In the event of a compromise, engage an incident response team, such as the CIS CIRT. (See CIS Critical Security Control 17: Incident Response Management.)
• Receive regular vulnerability scans and penetration tests from a qualified red team, such as the CIS Red Team. (See CIS Critical Security Control 18: Penetration Testing.)
• Eligible organizations who provide their external IPs to CIS may receive notifications when we observe potentially vulnerable software on their network. (See CIS Critical Security Control 7: Continuous Vulnerability Management.)

Save Time and Effort Managing Your Secure Configurations

You can use both the CIS Controls and CIS Benchmarks to mitigate risks associated with the insecure software configurations discussed above. But this can take time and money on your own. As an example, some CIS Benchmarks' PDF documents consist of hundreds of secure recommendations, which can thus complicate your hardening efforts if you're implementing these recommendations manually.

Fortunately, you don't need to use the CIS Controls and CIS Benchmarks on your own. CIS SecureSuite^® Membership comes with resources you can use to streamline your implementation of these security best practices. These resources include tools for tracking and prioritizing your assessment of the CIS Controls, running automated scans of your systems' settings against the CIS Benchmarks, and tracking the impact of your hardening tasks over a recent period. With these and other Membership benefits, you can save time and money for other aspects of your cybersecurity program.

Interested in learning more about CIS SecureSuite?