Top 10 Security Controls and Practices Routinely Exploited for Initial Access to Victim Networks

A joint security advisory issued by multiple national cybersecurity authorities reveals the top 10 attack vectors most exploited by malicious actors (e.g. hackers) for breaching computer networks. Unsurprisingly, “Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system” according to the joint advisory.

The list of the top 10 initial access vectors includes:

1. Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers.
2. Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to data and/or systems.
3. Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system.
4. Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations but leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit.
5. Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. You can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity. 
6. Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system.
7. Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
8. Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector.
9. Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems when a user opens or clicks a malicious download link or document.
10. Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices.

The advisory also includes a list of practices to strengthen network defenses against these commonly exploited weak security controls and practices. It includes recommendations to:

• Control access to data and services utilizing the concept of least privilege
• Harden credentials by implementing MFA, changing default passwords, and monitoring for the use of compromised credentials
• Establish centralized log management to have sufficient information to investigate incidents and detect threat actor behavior  
• Employ antivirus programs and endpoint and detection response tools
• Secure Internet-accessible hosts
• Implement an asset and patch management program