Security Misconfigurations

An organization can put a huge sum of resources into protecting its digital infrastructure and still face some security challenges due to Security Misconfigurations. Human error is commonly to blame for this. Humans are not perfect, and it is quite possible for them to make mistakes during the process of implementing security controls. Therefore, despite having a top-notch security shield around an enterprise’s digital infrastructure doesn’t mean it is 100 percent secure.

Security Misconfigurations can be described technically as a situation in which a company’s security practices do not adhere to industry security standards, such as OWASP Top 10, CIS benchmarks, to name a few. Improper definition of security controls or using default security controls are two examples of security misconfigurations.

Most misconfigurations are caused by unprofessional or inexperienced system administrators, or when a developer does not properly configure security controls in an application. Security misconfigurations are open invitations for hackers since they don’t need to invest much effort to exploit vulnerabilities caused by misconfigurations . In 2019, a Teletext data exposure incident involving 530,000 data files occurred due to a misconfigured Amazon Web Services web server. Similarly, in the same year, 750,000 birth certificates got into the wrong hands when an AWS cloud storage bucket was misconfigured. Furthermore, security misconfigurations can occur in a wide range of technologies, including servers, operating systems, networks, and the list continues.

Security misconfigurations can happen for various reasons. Modern enterprises excel in complexity and multilayered approaches, increasing the chances of misconfiguration and reducing the chances of identifying them. Additionally, it is possible for organizations to make configuration errors when scaling their infrastructure or when they add new equipment to their existing infrastructure. This is why it is very critical to conduct a comprehensive and frequent audit of the whole infrastructure to identify any misconfigurations and fix them in time. It is also very common for employees to mess up things during their work, all adding up to the chances of security misconfigurations.

Here are some of the common reasons for security misconfigurations:

Most equipment and software tools come with some sort of default credentials, such as routers and admin panels. By using the default credentials, the owner can use the tool right away. These credentials might be a plus for initial hands-on experience, but the problem begins when those credentials are not replaced by something more complex and unique. Hackers can easily get a list of default credentials and can use it to access devices with unchanged default credentials.

There should be an enterprise-wide security policy that requires employees to change their default passwords to something unique and difficult to guess. Enterprises must also ensure that this policy is followed by employees, and punish those who fail to do so.

The system’s default configurations can relay unnecessary information in error messages such as detailed stack traces. This can be very dangerous for cybersecurity and can provide sensitive information to attackers. For example, if an attacker can determine the component version from error messages, they can look for security exploits for the corresponding version.

It is the responsibility of the developer or administrator team of the enterprise to handle error messages properly. Alerts should only be accessible to relevant professionals and should disclose only necessary information.

Software updates are vital not only for software security but also for overall functionality and stability. When a vulnerability is detected in a software you use, its developers are likely to release an update to fix it. Using outdated versions can expose you to cyberattacks.

Companies should not allow their employees to use outdated software. A schedule should be developed to allow employees to update their software tools without interrupting their routine work.

Where new features can be exciting to introduce, they can also lead to security issues if not configured properly. Before making new features available to all users, system upgrades, whether on the software or hardware side, need to be carefully reviewed for security reasons. A company should be aware of the results after changing, introducing, or removing a system feature.

Cloud solution providers have made life easier for customers by handling a lot of configurations and maintenance tasks for them. However, cloud vendors are not responsible for everything that happens in the cloud.

The majority of cloud service plans follow a shared responsibility model, in which both the cloud service provider and the customer are jointly responsible for security on the cloud. Cloud vendors usually handle things like infrastructure, while customers have to manage their firewalls, cloud operating systems, and associated software.

Permissions are necessary to block unauthorized access to sensitive information. Unless appropriate permissions are set by the administrator, attackers may be able to run forced browsing attacks to locate vulnerable locations, which can lead to restricted files.

It is the responsibility of the enterprise administration to ensure that only appropriately qualified individuals have access to the system or certain components of the system.

Enterprises continue to become more complex as they integrate cloud technology, third-party services, and external vendor services into their infrastructure. In addition to increasing the likelihood of misconfigurations, this reduces the ability to identify ambiguities in the system.

In order to manage a system efficiently, its components and their dependencies should be categorized into microsegments to make them more visible and easier to manage. Micro segmentation allows for micro configurations, while also providing information about whether internal or outsourced teams are responsible for Security misconfigurations .

As discussed above, security misconfigurations are just human errors that can be intentional or unintentional. Regardless of how hard enterprises try, they cannot avoid the possibility of human error. So instead of avoiding it, enterprises should establish policies and practices that actively monitor for potential misconfigurations and catch them as early as possible.

Talk to a Cybersecurity Trusted Advisor at IRM Consulting & Advisory