Misconfigured security settings can be disastrous for a company’s cybersecurity. In 2019, for example, a researcher discovered a security misconfiguration in the popular project management tool Atlassian JIRA that allowed him to access a vast amount of confidential data from companies that used JIRA.
Unfortunately, Atlassian’s error is all too common. Configuration errors were responsible for almost one-third of data breaches in 2021 and are expected to cause 99 percent of all firewall breaches through 2023.
Finding and fixing misconfigurations should always be a cybersecurity priority. In this post we’ll cover what a security misconfiguration is, and how organizations can locate, remedy, and mitigate those errors.
What Is a Security Misconfiguration?
A security misconfiguration can occur when security settings are either (1) not implemented, or (2) deployed with errors. These errors create security gaps that expose the application and its data to a cyber attack or possible breach.
These errors can happen at any level of the application stack, including:
- Web or application servers
- Databases
- Network services
- Custom code
- Development platforms and frameworks
- Storage
- Virtual machines
- Cloud containers
What Can Security Misconfigurations Lead To?
A majority of configuration errors happen because system administrators fail to change the default configuration (also known as the “out of the box” account settings) of a device or application during installation. This error is problematic because many automated attacks start by testing whether a target’s systems use the default settings. By altering these settings, organizations can reduce the chance of such attacks succeeding.
For example, consider a system administrator keeping the default configuration on a CMS application. Without altering the default settings, the device, application, network, and system are vulnerable to exploits from an attacker who knows those settings (which, rest assured, are available on the dark web). Some threat research organizations estimate that misconfigurations are among the top 10 exploits that can lead to an attack.
A few of the more common causes of security misconfiguration errors and the threats they lead to are as follows.
Unpatched flaws
All software has flaws, but most software vendors soon issue patches to repair those flaws. When you don’t install the patch, attackers who already know the flaws will be able to penetrate your systems.
Unused pages and unnecessary service
Unused web pages and unnecessary features or services also allow attackers to gain unauthorized access to an enterprise application or device. These issues may result in cyberattacks such as command injections, brute force attacks, and credential stuffing exploits if left unchecked.
Inadequate access controls
Threat actors can gain entry into the network infrastructure by using default passwords, abandoned user accounts, or unused access permissions that admins did not update or remove. Overly permissive access rules also allow adversaries to cause chaos, including malware attacks and data compromise.
Unprotected files and directories
Files and directories not protected by strong security controls are vulnerable to cyberattacks. Hackers can identify platforms and applications that use easy-to-guess names and locations to garner valuable system information and orchestrate targeted attacks.
Predictable file names and locations can also expose admin interfaces and allow the adversary to get privileged access, configuration details, or business logic and even add, remove, or modify application functionality.
Poor coding practices and using vulnerable XML files
Many security misconfigurations can occur in Java web.xml files. Custom error pages or SSL may not be configured, or the code may be missing web-based access controls.
Coding errors may allow attackers to access parts of web applications via non-SSL and launch session hijacking attacks. Using URL parameters for session tracking or not setting a session timeout may also result in these attacks. Similarly, cookies without the HttpOnly flag can increase the possibility of cross-site scripting (XSS) attacks.
Disabled antivirus
Sometimes users temporarily turn off the antivirus if the antivirus overrides a particular action, such as running an installer. Once the user completes the installation, if he or she forgets to reactivate the antivirus, that leaves the organization vulnerable to hacks and data breaches.
Inadequate hardware management
Hackers use devices such as routers, switches, and endpoints to access enterprise applications and data by exploiting unsecured ports, overly permissive network traffic rules, and inadequately patched and maintained hardware.
How a Server Misconfiguration Can Create Vulnerabilities
Configuration errors create security vulnerabilities that hackers and cybercriminals can exploit. Server misconfigurations create vulnerabilities by exposing sensitive data, providing unauthorized access, and opening attack pathways. Below are some other common ways in which server misconfigurations can lead to an attack:
Exposes sensitive data
Configuration errors often result in unauthorized access to sensitive information. One reason is that nearly 73 percent of organizations have at least one critical security misconfiguration that could expose sensitive data, systems, or services to threat actors.
Prompts directory traversal attacks
Directory listing in a web application allows threat actors to browse and freely access the file structure and discover its security vulnerabilities. They can exploit these vulnerabilities to modify parts of the application and even reverse-engineer it.
Increases cyberattacks on mobile applications
Configuration mistakes can be a serious problem with mobile applications because the business and presentation layers are not deployed on a proprietary server under the organization’s control. Instead, the code is deployed on a mobile device that an attacker can physically access, modify, or reverse-engineer.
Creates remote attacks
Some critical misconfigurations allow attackers to access servers remotely and disable network and information security controls such as firewalls and VPNs. Unused open administration ports also expose the application to remote attacks.
Provides unauthorized access to the organization
Occasionally, legacy applications will attempt to communicate with non-existent applications. That creates a security gap that allows attackers to connect to the enterprise IT ecosystem, providing the attacker even more unauthorized access to the organization.
How Organizations Can Prevent Security Configuration Vulnerabilities
Security configuration errors are a widespread problem in any network, system, device, or application. Organizations can avoid them or minimize the chance of occurrence by following these best practices.
Pay attention to alerts
Configuration errors usually create warning signals that admins and developers should watch for. These alerts include notifications of multiple login attempts, devices that self-install software, and users’ web searches being redirected to unexpected websites. All these events can suggest compromised devices or applications.
Regularly patch all devices and software
Regular security patches and updates are vital to find and fix configuration errors. Admins can also patch a “golden image” (a virtual machine configured correctly) and deploy it into the entire environment.
Strengthen remote access controls
A layered remote security approach with intrusion detection systems, permission zones, firewalls, and virtual private networks (VPNs) can limit the vulnerabilities created by remote users. In general, all files and directories in both on-premise data centers and cloud environments must have strong access controls on a need-to-have basis.
Provide cybersecurity training and awareness to all users
A lack of cybersecurity knowledge can result in insecure practices and human errors, which increase the risk of breaches. Employees must be trained about the need for strong passwords, the dangers of “shadow IT” (that is, unauthorized hardware or software operating on your network), and the rules for handling sensitive data. A strong security culture is also vital to improve awareness of security threats, suspicious activities, and appropriate threat responses.
Follow secure coding practices
Secure coding practices are essential to prevent misconfiguration issues. Developers must ensure proper input/output data validation in the code, configure custom error pages and SSL, set a session timeout, never bypass authentication and authorization, and avoid using URL parameters for session tracking.
It’s also good practice to run custom static code through a security scanner before integrating it into the production environment.
Some other ways to avoid security misconfiguration errors are:
- Regularly monitor web application security and vulnerabilities
- Define and monitor non-default security settings for apps and programs
- Remove unused applications, programs, and features
- Change all default accounts, usernames, and passwords
- Develop an application architecture with secure separation of elements
- Encrypt data-at-rest and data-in-transit
ZenGRC Helps Protect Your Organization from Vulnerabilities
You can protect your organization from many vulnerabilities by identifying where misconfiguration errors occur. For such visibility, you need a tool like ZenGRC.
ZenGRC reveals information security risks across your business. See where security configuration and other errors are occurring so you can take quick action to minimize and manage vulnerabilities and minimize business exposure.
With ZenGRC, you can simplify threat and risk management, compliance, audits, governance, and even policy management from one centralized application. Manage risk and compliance easily and guide your organization to greater operational confidence. Schedule a demo to discover the full power of ZenGRC.