Policy Insights: Joint security advisory from US, Canada, New Zealand, the Netherlands and the UK describes top 10 network attack vectors

A joint security advisory issued by cybersecurity agencies from the US, Canada, New Zealand, the Netherlands and the UK describe the top 10 attack vectors most exploited by threat actors for breaching networks. These include poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system

Policy Insights:

Chris Clements, vice president of solutions architecture at Cerberus Sentinel:

“As lists go, this is a very good one and enumerates the most common reasons organizations fall victim to cyberattacks.  By following CISA’s recommendations, organizations can drastically improve their security posture and resilience to cyberattack.  That said, many of these items can be difficult to implement, especially at organizations that don’t already have a strong culture of cybersecurity.  It’s also difficult for an organization without an existing culture to know where to begin as well.  For example, the mitigations list starts with “Adopt a zero-trust security model.”  Zero trust can be an incredibly effective approach to network defense but can also be a significant undertaking to implement.  This is particularly true for organizations with large environments, legacy dependencies, or limited resources for staff or budget.  As such, it’s critical for every organization to adopt a true culture of security to evaluate their individual risk, which best practices can be implemented quickly, and form both a short- and long-term strategy for defense.  There should also be a candid assessment of areas where it makes sense to partner with outside organizations for assistance.  A SOC is a great thing to have, but not all organizations will have the resources to build and staff their own.”


Roger Grimes, data-driven defense evangelist at KnowBe4:

“Unfortunately, like most of these types of warnings, it does not tell readers one huge truth that they need to know…and it is that phishing and social engineering are 50% to 90% of the problem. Like most warnings, it mentions phishing and social engineering almost in passing. None of the mitigations mention fighting phishing or social engineering attacks, such as better training employees to recognize and defeat phishing attacks. Social engineering is the biggest threat by far, but it is barely mentioned, so no one who is reading the document would know that defeating it is the single best thing you can do. It is better than firewalls, antivirus, multifactor authentication, zero trust defenses and everything else added up all together. It is clear that if defenders do not concentrate on and do more to defeat social engineering, that they just are not going to be successful in keeping hackers and malware out. Yes, patching and all the other things they mention need to be done, but nowhere does this recommendation indicate that, “Hey, social engineering and phishing is the biggest problem by far” and “Hey, you need to be doing a whole lot more to defeat social engineering and phishing.” Instead, it is treated as just one of the many things that everyone needs to be doing, sure to be lost in the dozens of other, far harder and less helpful things, that defenders need to be doing. It is this continuous fundamental misalignment between how we are attacked (mostly social engineering) and how we are told to defend ourselves (almost barely mentioning it) that allows hackers and malware to be so successful. It would be helpful to tell people which of the dozens of mitigations are more important than others. No one can do everything perfect and right all at once. Everyone can only do a few things right all at the same time, so at least tell them which things need to be concentrated on first and best.”