A guide to preventing common security misconfigurations
Security misconfigurations are still part of OWASP’s Top 10 Security Risk list. This indicates they have been a persistent issue over the years. Security misconfigurations happen when supposed safeguards still leave vulnerabilities in a website or application. This normally happens when a system or database administrator or developer does not properly configure the security framework of an application, website, desktop or server. These misconfigurations leave applications vulnerable to attack.
Preventing security misconfigurations is not normally solely dependent on one source. For instance, even if the developer implements secure coding practices, it is still up to the integration team to properly integrate the application into production, and the responsibility of the system administrator to actively patch and update the system. It is also the responsibility of the system owners or the governance team to ensure there are proper rules in place to help avoid these types of issues.
11 courses, 8+ hours of training
These vulnerabilities can be located anywhere within an infrastructure to include custom code, databases, application or web servers, user workstations, routers, switches or even firewalls. This means it is important for developers, admins and management to all collaborate. Avoiding security misconfigurations is a team effort, not a solo one.
What are some common types of security misconfigurations?
Some common security misconfigurations include:
- Unpatched systems
- Using default account credentials (i.e., usernames and passwords)
- Unprotected files and directories
- Unused web pages
- Poorly configured network devices
These security misconfigurations can happen for a myriad of reasons. Having underqualified, or poorly trained staff, could lead to the issue. If a system administrator does not understand the importance of reviewing available patches and has never been trained on how to implement properly, an organization could be at major risk. It is important to not only stay abreast of newly released patches, but to also implement them in a mirrored test environment first to ensure they don’t cause other issues within a system.
If a patch was inadvertently downloaded from a malicious source, installing it in the test environment first ensures only the test environment is damaged, not production. Also, a larger enterprise environment can have custom code in use, and special configurations. At times, installing a patch in these situations could potentially cause more harm than good, even creating more vulnerabilities. Using the test environment ensures the system administrator has time to evaluate the effects of the patch.
Poorly trained administrators and poorly written cybersecurity policies breed an environment where default accounts are used. Most hackers know, or are skilled enough to figure out, the default account credentials for networking devices, operating systems and many applications. Using these default accounts makes it easy for cybercriminals to access your system and escalate their privileges. This is an easy fix, but it is a vulnerability that happens quite often.
How can I prevent security misconfigurations?
One of the best ways to prevent security misconfigurations is education and training. Educating your staff on current security trends helps ensure they make better decisions, and follow best practices. You can’t correct something that you don’t know.
Some other recommendations from various security experts to prevent security misconfigurations include:
- Developing a repeatable patching schedule
- Keeping software up to date
- Disabling default accounts
- Encrypting data
- Enforcing strong access controls
- Provide admins with a repeatable process to avoid overlooking items
- Set security settings in development frameworks to a secure value
- Run security scanners and perform regular system audits
Making use of data at rest encryption schemes could help protect files from data exfiltration. So does applying proper access controls to both files and directories. These steps help offset the vulnerability of unprotected files and directories. Data exfiltration is a big fear for most organizations. Proprietary or sensitive data in the wrong hands can create embarrassment or dramatic losses for a company, both financially and in terms of personnel. Data is often a company’s most important asset.
Running security scans on systems is an automated way to help identify vulnerabilities. Running these scans on a consistent schedule, and/or especially after making architectural changes, is an important step in reducing the vulnerability landscape. If implementing custom written code, using a static code security scanner is also an important step before integrating that code into the production environment.
Only give users access to data they absolutely need to do their jobs. Implement strong access controls to include enforcing the use of a strong username and password, and implement two-factor authentication mechanisms. Compartmentalize data. Make sure admins have separate accounts for when they are using their administrative privileges verses just acting as a user of the system.
Using outdated software is still one of the most common security vulnerabilities. Many companies do not feel the need to invest in the latest and greatest. It seems “cheaper” to continue using legacy software, but in actuality, using outdated software puts a company at risk to losing not only assets, but the trust of their customers, or even investors. Creating a consistent patch schedule, and keeping software updated is vital to reducing a company’s threat vectors.
11 courses, 8+ hours of training
Conclusion
Security misconfigurations are still on the OWASP Top Ten list, ranked as number six this year. To avoid this risk, it is important for organizations to educate their staff, keep software up to date and ensure they are configuring their network equipment to current industry best practices. Hackers continue to grow smarter year after year. Every effort should be made to secure networks, not just for the sake of the company, but for the sake of the public as well.
In this Series
- A guide to preventing common security misconfigurations
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security