OWASP Top 10 #5: Security Misconfiguration
Recently, the Open Web Application Security Project (OWASP) announced an update of their "Ten Most Critical Web Application Security Risks.” OWASP is a nonprofit organization devoted to helping create a more secure internet and the list is considered an important benchmark. (The new 2017 list is currently in the comments phase.)
This is one of a series of articles exploring each point on OWASP’s list and what can be done to mitigate their dangers. Holding steady at Number 5 from the 2013 list is “Security Misconfiguration.”
See Infosec IQ in action
Many Layers, Opportunities for Hackers
Security misconfiguration is one of the easiest targets for hackers because it’s so commonplace. This type of vulnerability includes weak or default passwords, out-of-date software, unnecessary features that are enabled, and unprotected files or databases.
Hackers target a website and then attempt to exploit weaknesses in a variety of ways, including brute-force password attacks, using stack traces that return full error messages, and accessing insecure sample apps that are unused but enabled.
Misconfiguration can happen up and down the stack, from the software platform to the web including the application servers, databases, frameworks, and custom code layered on top. If just one of these is misconfigured, it creates an opportunity for an “in,” which can lead to a slow takeover or a wider breach.
Prevention Begins with Assessment
OWASP recommends starting with a thorough audit of the entire IT environment, highlighting such issues as software that needs updates or patches, default accounts that still have their original passwords, and security settings in frameworks and applications that are not set to secure values.
OWASP urges businesses to create a highly robust environment from the ground up, including creating a strong infrastructure that has all its components separate and secure. Developers and system administrators must work hand in hand to ensure that everything is configured correctly.
Additionally, automatic configuration of staging, development, and production environments is suggested as a way of making compliance easy. Software or firmware updates and patches should be deployed simultaneously; scans and audits conducted periodically.
“Without a concerted, repeatable application security configuration process, systems are at a higher risk,” OWASP states on their website.
Awareness Is Crucial
Creating a secure system that is configured correctly involves making sure everyone involved understands both the need for security and as the protocols involved in creating and maintaining it.
To assist with this mission, InfoSec Institute has created SecurityIQ, a comprehensive suite of educational modules. It includes AwareED, a configurable course on security that can be administered remotely to entire departments or organizations.
SecurityIQ contains videos and interactive materials for every point on OWASP’s list, including security misconfiguration. It’s easy to enroll your entire company in a course or series of courses via email signup. From the dashboard, you can monitor everyone’s progress.
See Infosec IQ in action
To learn more and get a 30-day trial of our premium services, visit SecurityIQ today!
In this Series
- OWASP Top 10 #5: Security Misconfiguration
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness