How to avoid opening the door to hackers with misconfiguration errors
How to avoid opening the door to hackers with misconfiguration errors

The rise of cyber-crime has taken the world by storm and is without a doubt one of biggest threats businesses and consumers are faced with today. Over and over we see reports of data breaches affecting big named brands, oftentimes caused by simple misconfigurations that could have been easily corrected. Cyber-incidents are rife and pose a real and persistent threat to business; any organisation can be a target and it's important that foundational security controls don't go overlooked.

Businesses across the world are investing more heavily in cyber-security technology to keep attackers away from their sensitive digital assets. However, many organisations are realising that purchasing all the latest security solutions on the market does not guarantee 100 percent protection. This is particularly true when they haven't taken the very basic but absolutely crucial step of properly configuring their devices and applications – especially as their IT environments evolve and become more complex, with the modern enterprise tending to use a blend of physical, virtual, and private and public cloud environments.

In cyber-security, a simple misconfiguration in software systems or cloud services leaves organisations exposed and vulnerable to hackers. The little mishaps can expose sensitive data such as passwords, personally identifiable information (PII) and other types of information that could damage individuals as well as an organisation's reputation. In fact, in OWASP's annual list of the ten most common vulnerabilities, the fifth category on the list in 2017 was security misconfiguration.

Additionally, with the upcoming European General Data Protection Regulation (GDPR), data breaches are becoming even more of a concern for organisations, particularly because of their potential to significantly impact a company's bottom line.

So, what are the most common misconfiguration errors organisations are guilty of today, how can they be exploited by attackers and what can organisations do to avoid misconfiguration errors within their software and cloud services?

Common misconfiguration mistakes

Security misconfigurations are one of the most common loopholes that hackers will use to gain access to an organisation. Both the SANS Institute and the Council on Cybersecurity recommend that once you inventory your hardware and software, the most important security control is secure configurations.

Misconfiguration often occurs during the process of changes to security. For instance, when new rules are added to a firewall or the cloud environment, or the existing rules are being altered or replaced. It is also common for attackers to take advantage of poorly configured devices; for example, ones which use default passwords. Attackers are looking for systems that have default settings that are immediately vulnerable, and once an attacker exploits a system, they can start making changes and exfiltrating data. If there is a small error in a security system, for instance the use of default settings or unhardened security, it could provide access to an unauthorised, and potentially malicious, third party.

Rising cloud misconfiguration breaches

When adopting cloud services, it is critical to understand what security is being provided for you by the cloud provider, and what you are responsible for yourself. For example, the secure configuration of the services and applications being used on top of vendor-provided services will likely be the responsibility of users, not the vendor.  Be sure to understand the vendor's shared security responsibility model.

The implications of a security misconfiguration in the cloud was highlighted in July 2017 when Verizon revealed that confidential data belonging to six million customers had been leaked online as a result of a misconfigured security setting on a cloud server. The error lead to customer phone numbers, names, and PIN codes becoming publicly available online.

Similarly, data firm Deep Root Analytics had also left personal data exposed when stored on a cloud server configured to be publicly accessible. Doing work on behalf of the US Republican National Committee, data containing personal information for 198 million US voters were left unprotected.

Not too long after, the Dow Jones experienced a data leak when they left a server configured to let anyone with a free Amazon Web Services (AWS) account to access its database of personal data of millions of customers.

These are simple errors that can lead to significant consequences.

Preventing security configuration errors

One of the major challenges in preventing these kinds of incidents is a strong secure configuration management process.  By setting standard configurations for your systems based on industry best practices, and continuously monitoring for changes from that baseline, organisations can quickly identify a misconfiguration that could be exploited and address it, before the breach. A secure configuration management (SCM) solution will help organisations accomplish this efficiently and effectively, especially in complex environments.

Some of the highest profile breaches could have been prevented from taking this foundational step. Again, the latest security tools may not help if the basic essentials of security aren't met. In addition to secure configuration, organisations can build out a stronger foundation by checking and fixing vulnerabilities (lack of patching known vulnerabilities is another simple cause for high-profile incidents), managing administrative privileges carefully, and paying attention to audit logs.

At the end of the day, it boils down to having proper visibility of your attack surface so you can minimise it and monitor it. Simple errors like misconfiguration can lead to much bigger issues if not addressed.

Contriubted by David Meltzer, chief technology officer at Tripwire

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.