The NSA and CISA identified ten common cybersecurity misconfigurations: default configurations of software and applications, improper separation of user/administrator privilege, insufficient internal network monitoring, lack of network segmentation, poor patch management, bypass of system access controls, weak or misconfigured multifactor authentication methods, insufficient access control lists on network shares and services, poor credential hygiene, and unrestricted code execution.

Organizations are encouraged to implement several key mitigations: remove default credentials and harden configurations, disable unused services, implement access controls, regularly update and automate patching, and audit administrative accounts and privileges. These steps can significantly enhance the security posture of an organization.

Software manufacturers are urged to adopt secure-by-design principles, which include embedding security controls into product architecture from the start, eliminating default passwords, providing high-quality audit logs at no extra charge, and mandating multifactor authentication for privileged users. These practices can help reduce the prevalence of common misconfigurations and enhance overall security for customers.