What is security misconfiguration?
Security misconfigurations arise when security settings are not defined, implemented, and default values are maintained. Usually, this means the configuration settings do not comply with the industry security standards (CIS benchmarks, OWASP Top 10 etc) which are critical to maintaining security and reduce business risk. Misconfiguration normally happens when a system or database administrator or developer does not properly configure the security framework of an application, website, desktop, or server leading to dangerous open pathways for hackers.
Misconfigurations are often seen as an easy target, as it can be easy to detect on misconfigured web servers, cloud and applications and then becomes exploitable, causing significant harm and leading to catastrophic data leakage issues for enterprises like the 2019 Teletext exposure of 530,000 data files which was caused by an insecurely configured Amazon Web Service (AWS) web server. Unfortunately, once a system falls prey to a vulnerability or lack of security safeguarding, your sensitive data is at risk of getting stolen or altered. Often, the biggest problem organizations face is that these flaws are not being identified or addressed early enough in accordance with security hygiene best practice. This is becoming a widespread security challenge, with misconfiguration accounting for 82% of security vulnerabilities and we’ve been seeing high profile stories around this topic in the industry press for a number of years. Including the exposure of 750,000 birth certificate applications in the US on an AWS storage bucket in 2019 and another misconfigured cloud storage bucket exposing hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers due to human error and misconfiguration.
As the examples show, many enterprises are migrating their services to the cloud, because of digital transformation and stretching networks to the fullest due to the Covid-19 pandemic to support remote working, however its harmful in the long term to forget the basics. It appears vital security safeguarding is being bypassed around configuration of web apps, networks and cloud, whether due to speed, misunderstanding or simple human error. In this blog we will shed some light on the types of misconfigurations to look out for and importantly – how to combat them with security awareness and regular vulnerability assessments.
What causes security misconfigurations?
Sometimes a safe environment of an organization built by several stakeholders (systems administrators, DBAs, or developers) is left with vulnerable gaps, even after you thought the job’s complete, as not all stakeholders are clued up or responsible for securing the web app and/or infrastructure. These security loopholes then lead the organization to grave risks further down the line including costly fines and reputational damage. With the most common misconfigurations including:
- Unpatched systems
- Default/ out of the box account settings (i.e. usernames and passwords)
- Unencrypted files
- Old and out of date web applications
- Unsecured devices
- Web application and cloud misconfiguration
- Insufficient firewall protection
As we are well aware, the challenge of a heterogeneous environment for enterprises and the lack of security awareness can increase the risk of these dangerous security anomalies and the threats hitting your business. Security weaknesses like misconfigurations must be addressed across all layers of your diversified environment.
It is important to not only stay up to date with newly released patches for common vulnerabilities but also creating a continuous testing and monitoring process to be notified about application vulnerabilities and triaging the biggest threats via risk based intelligence, to ensure imminent threats are found before the hackers do! Security misconfigurations is still high up within the OWASP’s Top 10 list (A6 2017) and it’s important to be aware that security misconfigurations can happen on any level of the application stack, via the web server, database, application, network equipment and so on.
OWASP Top 10 is the common framework for monitoring web application vulnerabilities and is the industry benchmark. Using this to understand threat actor behaviours and running regular scanning using an automated DAST tool will help you to locate default accounts, vulnerabilities associated with code and applying the latest patches on your servers and web apps in a timely manner.
All of Outpost24’s application testing solutions cover OWASP top 10, CWE, WASC and CVE findings.
Hybrid-cloud environments and containers
As we’ve highlighted in this blog, many unfortunate modern-day breaches have stemmed from misconfigured storage in cloud environments. This has increased exponentially since the use of traditional data centers as we look to reduce office space and budget. The most alarming statistic around cloud security and highlighted by analysts at Gartner that “Through 2025, 99% of cloud security failures will be the customer’s fault” so we must keep a close eye on misconfiguration to significantly reduce the risk of cloud failure.
Elements that are most at danger, if mismanaged and security processes not applied can affect public cloud services, third-party services and applications hosted in different infrastructures. Web application firewalls in production cloud environments can often suffer misconfigurations, and in many cases are not protected from development environments with insufficient firewall protection in place to authenticate user access and privileges.
Poorly configured cloud environments are easy pickings for hackers, and data breaches aren’t often the work of highly skilled exploits or advanced malware infection. It’s just too easy for them, with one of the most common cloud misconfigurations coming from public access to storage buckets, which seems surprising as you wouldn’t leave your safe door left open for bulgers to help themselves!
Organizations face various types of configuration challenges when migrating to public IaaS cloud environments, including complex and often undetected internet connectivity paths that are improperly configured, such as the infamous CapitalOne web application firewall breach.
To prevent such attacks, businesses should implement secure configurations such as the CIS Benchmarks which provides common security best practice recommendations for multiple technologies including servers, operating systems, and cloud containers. Automated IaaS assessment against the CIS benchmark for AWS, Azure, Google Cloud, Docker and Kubernetes ensure the specific security controls protecting your organization’s data are in place and will help prevent cloud security misconfiguration issues.
As advised in the OWASP Top 10 list, “security misconfiguration can happen anywhere’ and includes the most robust enterprise network. Often under-trained staff may not notice a misconfiguration issue early enough which is especially difficult as the modern attack surface changes and evolves. It’s therefore important to ‘think like a hacker’ when setting up any new system or maintaining existing or legacy networks. Security solutions from organizations with ethical hacking backgrounds can help you stay ahead of threats by understanding the context of different attack paths.
When creating robust network security policies and processes, its essential to define and monitor security settings for all apps and programs being deployed across your organization and the connectivity these apps have to your network should be identified. Firewalls will help create a barrier to vulnerabilities creeping into your network however, you should always include things like disabling unnecessary ports, removing default programs and features not being used by the app, and disabling or changing all default users and passwords as a priority. Including these essential steps in your processes to ensure security controls are in place and staff receive adequate training to manage this.
To prevent such attacks, organizations should implement vulnerability assessments and compliance checks towards industry best practices, such as the CIS benchmarks.
What Outpost24 does to help?
Outpost24 solutions cover vulnerability assessment for your entire technology stack and create security controls and processes for the most complex environments from network, wireless, web application to hybrid cloud and containerized environments. Built by ethical hackers we help imprint a security-first culture in your enterprise through our unrivaled coverage, so no stone is left unturned. We give our customers the confidence to operate at the maximum without worrying about a deadly breach by automated security hygiene with a unified view of their attack surface.
Our advanced risk-based vulnerability prioritization tooling enables our customers to save time from sifting through irrelevant findings and focus on the imminent threats. To prevent misconfiguration issues, our tools continuously monitor for any vulnerabilities and industry best practices across the full stack.