The Impact of Security Misconfiguration and Its Mitigation

Today’s cybersecurity threat landscape is highly challenging. Attackers are constantly on the lookout to exploit security vulnerabilities in applications and systems to gain access to or control of sensitive information and launch cyberattacks such as ransomware.

With companies spreading sensitive data across different platforms, software as a service (SaaS) platforms, containers, service providers, and even various cloud platforms, it’s essential that they begin to take a more proactive approach to security.

This means integrating security as a core part of the development process, shifting security to the left, and automating your infrastructure as much as possible to leave behind inefficient, time-consuming, and expensive tactics. One of the most basic aspects of building strong security is maintaining security configuration.

In a study, it was revealed that nearly 73% of organizations have at least one critical security misconfiguration that could expose critical data and systems or enable attackers to gain access to sensitive information or private services or to the main AWS (Amazon Web Services) console.

These “critical” security misconfigurations could be leaving remote SSH open to the entire internet which could allow an attacker to gain access to the remote server from anywhere, rendering network controls such as firewalls and VPN moot. Furthermore, the SSH traffic from the internet using the root account also has severe security repercussions.

Security misconfiguration vulnerabilities often occur due to insecure default configuration, side-effects of configuration changes, or just insecure configuration. This indicates the need for basic configuration auditing and security hygiene as well as automated processes. Instead of using traditional network controls, servers should be grouped by role, using automation to create small and secure network paths to build trust between peers.

Before we delve into the impact of security misconfiguration, let’s have a look at what security misconfiguration really means.

What is Security Misconfiguration?

Security misconfiguration is the implementation of improper security controls, such as for servers or application configurations, network devices, etc. that may lead to security vulnerabilities.

For example, insecure configuration of web applications could lead to numerous security flaws including:

• Incorrect folder permissions
• Default passwords or username
• Setup/Configuration pages enabled
• Debugging enabled

A security misconfiguration could range from forgetting to disable default platform functionality that could grant access to unauthorized users such as an attacker to failing to establish a security header on a web server. Security misconfiguration can happen at any level of an application, including the web server, database, application server, platform, custom code, and framework.

The impact of a security misconfiguration in your web application can be far reaching and devastating. According to Microsoft, cybersecurity breaches can now globally cost up to $500 billion per year, with an average breach costing a business $3.8 million.

Making matters worse, one of the biggest myths about cybersecurity attacks is that they don’t impact small businesses because they’re too small to be targeted or noticed.

Busting this myth, Small Business Trends forecasted that at least 43% of cyberattacks are targeted specifically at small businesses. Fundamentally, security misconfigurations such as cloud misconfiguration are one of the biggest security threats to organizations.

In fact, it was a cloud misconfiguration that caused the leakage of nearly 400 million Time Warner Cable customers’ personal information. An outsider service provider had accidentally misconfigured the cloud storage and made it publicly available, exposing the company’s SQL database to everyone.

Security Misconfiguration Examples

To give you a better understanding of potential security misconfigurations in your web application, here are some of the best examples:

Example #1:  Default Configuration Has Not Been Modified/Updated

If you have not changed the configuration of your web application, an attacker might discover the standard admin page on your server and log in using the default credentials and perform malicious actions.

Example #2: Directory Listing is Not Disabled on Your Server

In such cases, if an attacker discovers your directory listing, they can find any file. Hackers can find and download all your compiled Java classes, which they can reverse engineer to get your custom code. They can then exploit this security control flaw in your application and carry out malicious attacks.

Example #3: Insecure Server Configuration Can Lead Back to the Users, Exposing Their Personal Information

Applications with security misconfigurations often display sensitive information in error messages that could lead back to the users. This could allow attackers to compromise the sensitive data of your users and gain access to their accounts or personal information.

Example #4: Sample Applications Are Not Removed From the Production Server of the Application

Many times these sample applications have security vulnerabilities that an attacker might exploit to access your server.

Example #5: Default Configuration of Operating System (OS)

The default configuration of most operating systems is focused on functionality, communications, and usability. If you have not updated or modified the default configuration of your OS, it might lead to insecure servers.

To protect your servers, you should build sophisticated and solid server hardening policies for all the servers in your organization. Use CIS benchmarks to help harden your servers.

How to Detect Security Misconfiguration: Identification and Mitigation

Security misconfiguration is a widespread problem that persists in many systems, networks, and applications, and it’s possible that you might have it as well. These misconfigurations can happen at any level of an IT infrastructure and enable attackers to leverage security vulnerabilities in the application to launch cyberattacks.

What are some of the most common security misconfigurations?

Some of the most common security misconfigurations include incomplete configurations that were intended to be temporary, insecure default configurations that have never been modified, and poor assumptions about the connectivity requirements and network behavior for the application.

With the rising complexity of operating systems, networks, applications, workloads, and frameworks, along with cloud environments and hybrid data centers, security misconfiguration is rapidly becoming a significant security challenge for enterprises. These environments are diverse and rapidly changing, making it difficult to understand and implement proper security controls for security configuration.

For instance, the lack of visibility when managing firewalls across cloud and hybrid environments and on-premise continue to increase security challenges and make compliance with privacy regulations and security difficult for enterprises.

Lack of visibility in your cloud platform, software, applications, networks, and servers is a leading contributor to security misconfigurations and increased risk.

A report found that almost one-third of networks had 100 or more firewalls for their environment and each firewall had a different set of rules to manage. Further, 34% of networks had 50% or less real-time visibility into their network security risks and compliance, which causes a lack of visibility across the entire infrastructure and leads to security misconfigurations.

Here are some more examples of security misconfigurations:

• Insecure admin console open for an application. These ports expose the application and can enable an attacker to take advantage of this security flaw and modify the admin controls.
• Idle virtual machines in the cloud: Often companies are not aware about idle virtual machines sitting in their cloud and continue to pay for those VMs for days and months on end due to poor lack of visibility in their cloud. These idle VMs may not be actively managed and may be missed when applying security patches.
• Outbound connections to a variety of internet services. These could reveal unintended behavior of the software in a sensitive environment.
• Legacy applications that are trying to establish communication with the applications that do not exist anymore. Hackers could replicate these applications and build communication with legacy apps.

In addition to this, web servers often come with a set of default features including QA features, debugging, sample applications, and many others, which are enabled by default. These features may provide a means to an attacker to circumvent security protocols and gain access to the sensitive information of your customers or your organization, through elevated privileges.

Attackers may also try to detect misconfigured functions with low concurrency limits or long timeouts in order to launch Denial-of-Service (DoS) attacks. Functions with low concurrency limit configuration could result in DoS attacks as the attacker just needs to invoke the misconfigured function several times until it is unavailable.

Functions which contain insecure sensitive information such as tokens and keys in the code or environment variables can also be compromised by the attackers and may result in data leakage.

How can you diagnose and determine security misconfigurations?

There are several ways you can quickly detect security misconfigurations in your systems:

• Scan hybrid environments and cloud infrastructure to identify resources. Use built-in services such as AWS Trusted Advisor which offers security checks.
• Verify that you have proper access control in place
• Set up alerts for suspicious user activity or anomalies from “normal” behavior. Unusual behavior may demonstrate where you have inadequate security controls in the configuration settings.
• Check for default configuration in the admin console or other parts of the server, network, devices, and application.

What is the Impact of Security Misconfiguration?

According to a report by IBM, the number of security misconfigurations has skyrocketed over the past few years. The report found that breaches related to security misconfiguration jumped by 424%, accounting for nearly 70% of compromised records during the year.

While companies are integrating better security practices and investing in cybersecurity, attackers are conducting more sophisticated attacks that are difficult to trace and mitigate quickly.

Human error is also becoming a more prominent security issue in various enterprises. These human errors lead to an array of security flaws including security misconfigurations, phishing attacks, malware, ransomware, insider threats, and many others.

Security misconfigurations can stem from simple oversights, but can easily expose your business to attackers. In some cases, misconfigured networks and systems can leave data wide open without any need for a security breach or attack by malicious actors.

A common security misconfiguration is leaving insecure sensitive data in the database without proper authentication controls and access to the open internet.

One of the most notable breaches caused due to security misconfiguration was when 154 million US voter records were exposed in a breach of security by a Serbian hacker.

The database contained records of 154 million voters which included their names, ages, genders, phone numbers, addresses, marital statuses, congressional political parties, state senate district affiliations, and estimated incomes. The database was a CouchDB that required no authentication and could be accessed by anyone which led to a massive security breach.

In this example of security misconfiguration, the absence of basic security controls on storage devices or databases led to the exploitation of massive amounts of sensitive and personal data to everyone on the internet.

The more code and sensitive data is exposed to users, the greater the security risk. Failure to properly configure the lockdown access to an application’s database can give attackers the opportunity to steal data or even modify parts of it to conduct malicious activities.

How Can You Prevent Security Misconfiguration?

The first and foremost step to preventing security misconfiguration is learning the behavior of your systems, and understanding each critical component and its behavior.

To do this, you need to have a precise, real-time map of your entire infrastructure, which shows flows and communication across your data center environment, whether it's on hybrid cloud, or on-premises.

Once you have a thorough understanding of your systems, the best way to mitigate risks due to security misconfiguration is by locking down the most critical infrastructure, allowing only specific authorized users to gain access to the ecosystem.

Here are some effective ways to prevent security misconfiguration:

• Deploy a repeatable hardening process that makes it easy and fast to deploy another environment that is properly configured. The development, production, and QA environments should all be configured identically, but with different passwords used in each environment. Automate this process to reduce the effort required to set up a new secure environment.
• Regularly install software updates and patches in a timely manner to each environment. Or better yet, patch a golden image and then deploy that image into your environment.
• Build a strong application architecture that provides secure and effective separation of components.
• Run audits and scans frequently and periodically to help identify potential security misconfigurations or missing patches.
• Maintain a well-structured and maintained development cycle. This will help ensure the security testing of the application during the development phase.
• Educate and train your employees on the importance of security configurations and how they can impact the overall security of the organization.
• Encrypt data-at-rest to help protect information from being compromised.
• Apply proper access controls to both directories and files. This helps offset the vulnerability of unprotected directories and files.
• If implementing custom code, use a static code security scanner before integrating the code into the production environment. Dynamic testing and manual reviews by security professionals should also be performed.
• Use a minimal platform without any unnecessary features, samples, documentation, and components. Remove or do not install insecure frameworks and unused features.
• Review cloud storage permissions such as S3 bucket permissions. Review and update all security configurations to all security patches, updates, and notes as a part of the patch management process.
• Implement an automated process to ensure that all security configurations are in place in all environments.

Final Thoughts

Dynamic and complex data centers are only increasing the likelihood of security breaches and the risk of human error, as we add more external vendors, third-party suppliers, and hybrid cloud environments.

The impact of a security misconfiguration has far-reaching consequences that can impact the overall security of your organization. Despite the fact that you may have implemented security controls, you need to regularly track and analyze your entire infrastructure for potential security vulnerabilities that may have arisen due to misconfigurations.

Remember that having visibility in a hybrid cloud environment can give you an edge and help you fight security misconfiguration.

Cypress Data Defense provides a detailed map of your cloud infrastructure as the first step, helping you to automatically detect unusual behavior and mitigate misconfigurations in your security. Once you have identified your critical assets and vulnerabilities, you can use mitigation techniques to limit the attack surface and ensure the protection of your data.