A guide to preventing common security misconfigurations
Security misconfigurations are still part of OWASP’s Top 10 Security Risk list. This indicates they have been a persistent issue over the years. Security misconfigurations happen when supposed safeguards still leave vulnerabilities in a website or application. This normally happens when a system or database administrator or developer does not properly configure the security framework of an application, website, desktop or server. These misconfigurations leave applications vulnerable to attack.
Preventing security misconfigurations is not normally solely dependent on one source. For instance, even if the developer implements secure coding practices, it is still up to the integration team to properly integrate the application into production, and the responsibility of the system administrator to actively patch and update the system. It is also the responsibility of the system owners or the governance team to ensure there are proper rules in place to help avoid these types of issues.
These vulnerabilities can be located anywhere within an infrastructure to include custom code, databases, application or web servers, user workstations, routers, switches or even firewalls. This means it is important for developers, admins and management to all collaborate. Avoiding security misconfigurations is a team effort, not a solo one.
What are some common types of security misconfigurations?
Some common security misconfigurations include:
- Unpatched systems
- Using default account credentials (i.e., usernames and passwords)
- Unprotected files and directories
- Unused web pages
- Poorly configured network devices
These security misconfigurations can happen for a myriad of reasons. Having underqualified, or poorly trained staff, could lead to the issue. If a system administrator does not understand the importance of reviewing available patches and has never been trained on how to implement properly, an organization could be at major risk. It is important to not only stay abreast of newly released patches, but to also implement them in a mirrored test environment first to ensure they don’t cause other issues within a system.
If a patch was inadvertently downloaded from a malicious source, installing it in the test environment first ensures only the test environment is damaged, not production. Also, a larger enterprise environment can have custom code in use, and special configurations. At times, installing a patch in these situations could potentially cause more harm than good, even creating more vulnerabilities. Using the test environment ensures the system administrator has time to evaluate the effects of the patch.
Poorly trained administrators and poorly written cybersecurity policies breed an environment where default accounts are used. Most hackers know, or are skilled enough to figure out, the default account credentials for networking devices, operating systems and many applications. Using these default accounts makes it easy for cybercriminals to access your system and escalate their privileges. This is an easy fix, but it is a vulnerability that happens quite often.
How can I prevent security misconfigurations?
One of the best ways to prevent security misconfigurations is education and training. Educating your staff on current security trends helps ensure they make better decisions, and follow best practices. You can’t correct something that you don’t know.
Some other recommendations from various security experts to prevent security misconfigurations include:
- Developing a repeatable patching schedule
- Keeping software up to date
- Disabling default accounts
- Encrypting data
- Enforcing strong access controls
- Provide admins with a repeatable process to avoid overlooking items
- Set security settings in development frameworks to a secure value
- Run security scanners and perform regular system audits
Making use of data at rest encryption schemes could help protect files from data exfiltration. So does applying proper access controls to both files and directories. These steps help offset the vulnerability of unprotected files and directories. Data exfiltration is a big fear for most organizations. Proprietary or sensitive data in the wrong hands can create embarrassment or dramatic losses for a company, both financially and in terms of personnel. Data is often a company’s most important asset.
Running security scans on systems is an automated way to help identify vulnerabilities. Running these scans on a consistent schedule, and/or especially after making architectural changes, is an important step in reducing the vulnerability landscape. If implementing custom written code, using a static code security scanner is also an important step before integrating that code into the production environment.
Only give users access to data they absolutely need to do their jobs. Implement strong access controls to include enforcing the use of a strong username and password, and implement two-factor authentication mechanisms. Compartmentalize data. Make sure admins have separate accounts for when they are using their administrative privileges verses just acting as a user of the system.
Using outdated software is still one of the most common security vulnerabilities. Many companies do not feel the need to invest in the latest and greatest. It seems “cheaper” to continue using legacy software, but in actuality, using outdated software puts a company at risk to losing not only assets, but the trust of their customers, or even investors. Creating a consistent patch schedule, and keeping software updated is vital to reducing a company’s threat vectors.
Security misconfigurations are still on the OWASP Top Ten list, ranked as number six this year. To avoid this risk, it is important for organizations to educate their staff, keep software up to date and ensure they are configuring their network equipment to current industry best practices. Hackers continue to grow smarter year after year. Every effort should be made to secure networks, not just for the sake of the company, but for the sake of the public as well.