top of page

Security organisations highlight the top 10 cyber security misconfigurations

The NSA (National Security Agency) in conjunction with CISA (Cyber and Infrastructure Agency) have released an advisory to educate the wider public on their findings relating to the top ten cyber security misconfigurations.

The guidance aims to help organisations identify and remediate the potential security flaws in order to harden defences.

The below list detailing the top misconfigurations was compiled from the findings of both offensive and defensive assessments conducted by the NSA and CISA threat hunt and incident response teams.

  1. Default configurations of software and applications

  2. Improper separation of user/administrator privilege

  3. Insufficient internal network monitoring

  4. Lack of network segmentation

  5. Poor patch management

  6. Bypass of system access controls

  7. Weak or misconfigured multifactor authentication (MFA) methods

  8. Insufficient access control lists (ACLs) on network shares and services

  9. Poor credential hygiene

  10. Unrestricted code execution

By highlighting these misconfigurations, it equips organisations with the knowledge that the problems they face are not local to just their organisation.

It may also identify areas which are being overlooked and warrant prompt addressing due to their prevalence and pinpoint areas that could potentially be exploited by interested threat actors.

In the advisory, as well as highlighting potential areas for improvement, there are sections dedicated to providing mitigation advice.

To some, this information may appear routine or cliché. However, the advisory is evidence that organisations are not adequately addressing these problems and so it is encouraged that those in a position to implement technical changes review the advisory and consider the implementation of changes - where appropriate - or use the advisory to help strengthen their discussions regarding the threat that any existing problems pose.

Worried about your cyber security measures and unsure what to do? Contact us, we can help either directly, or act as an impartial broker for our Cyber Essentials Partners.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page