The last part of the “most common cyber vulnerabilities” series covers “security misconfiguration,” a dangerous and insidious vulnerability that can have a catastrophic impact, if not mitigated properly. The earlier parts of the series deal with other fatal security vulnerabilities—injection flaws, buffer overflows, sensitive data exposure, and broken authentication.
Security misconfiguration can be dangerous at times because it is easy to detect misconfigured web servers and applications and then exploit them. This article not only introduces you to the vulnerability but ensures that you take away secure ways to avoid it from happening.
Whenever the implementation of security controls for a server or a web application fails or is met with errors, it is referred to as a security misconfiguration. Sometimes a safe environment of an organization built by several professionals (systems administrators, DBAs, or developers) is left with vulnerable gaps. These security loopholes then lead the organization to grave risks. The occurrence of failure of security safeguards can occur at any level of the application stack. From the platform of the web application to its web server and web application server; it also includes its database (containers or storage), framework, custom code, and pre-installed VMs. The perpetrators get to these vulnerabilities through unauthorized access to default accounts, rarely accessed web pages, not frequently updated applications, unprotected files and folders, directory listings, and so on. Once the system falls prey to the vulnerability, the sensitive data might get stolen or altered, and to recover from such a situation is a time-consuming and costly affair.
A few typical examples of security misconfiguration are listed below:
- Applications and products under production phase in debug mode
- Running unwanted services on the system
- No proper configuration for accessing the server resources and services
- Leaving default keys and passwords as it is
- Incorrect exception management—can disclose unauthorized data, including stack traces
- Using default accounts with default credentials
Do I Have a Security Misconfiguration?
There is a fair chance that you have security misconfigurations in your production environments. The problem is quite evident among all the levels of the application stack. Traditional data centers face one of the most common security misconfigurations, which is not changing the default configurations. It results in unexpected network behavior of the web application. With hybrid data centers and cloud environments, the problem is more challenging because of the inclusion of complex applications, operating systems, and frameworks. The constant updations of these environments make it difficult to devise the right safeguards for security. While in the absence of the right amount of visibility, heterogeneous environments are more susceptible to fall prey to this security flaw. The advanced forms of threats generating out of security misconfiguration are:
- Creating new and unwanted administration ports for an application—it increases the possibility of remote attacks
- Outbound network connections to several Internet services—the app can behave abnormally in a critical environment
- Legacy applications (not much in fashion these days)—this offers an accessible entry point for attackers to mimic the non-existing app to establish an unauthorized connection
Impacts of Security Misconfiguration
Such vulnerabilities offer cybercriminals an easier way to gain unauthorized access to system data or its functionalities. There’s a possibility that security misconfiguration can also lead to complete system compromise. If the compromised data or application is sensitive, then such kind of flaw can damage the reputation and economy of the organization.
Real-Life Damages by Security Misconfiguration
The following examples from recent years will help you to understand the drastic effect of this common flaw:
Case 1: Accidental S3 Data Leaks by AWS
The data of around 14 million Verizon subscribers were exposed on an unsecured Amazon S3 bucket. Under this massive data exposure of 2017, the phone numbers and account PINs of the customers were compromised. The data was accessible and downloadable to anyone who can get their hands on the right web address .
Case 2: Accenture Exposed 137 GB of Data
The misconfigured security aspect of servers hosted on Amazon’s S3 storage led to 2018’s compromise of highly sensitive data of Accenture. The Key Management System of Accenture was out in public and would have allowed an attacker to gain complete access to the encrypted data of the organization. The exposed servers contained various customer credentials and private keys to sign in, which were stored in plaintext .
Six Security Installation Processes Can Prevent Security Misconfiguration
Correctly implement the below-stated security installations to save your sensitive data from accidental exposure:
- Different environments—Development, Quality Assurance, and Production; all of them should be identically configured. Also, manage unique credentials to access all these environments. Introducing automation to the repeatable hardening process will minimize your effort and limit the chance of errors.
- Keep only useful features on the platform. Using additional features and components increase the attack surface of the application. It would be recommended to remove all the unused features and frameworks from the app.
- Regularly updating the app plays a vital role in keeping the application secure from the cybercriminals. Releasing required patches and security notes (whenever needed) is an essential part of the patch management process. Also, review cloud storage (especially, AWS S3 buckets) permissions.
- Sending security directives (such as security header) to the clients should be a regular process.
- An automated process should be launched to review all the settings and configurations of each environment.
- Wisely devise the architecture of the application to avoid security misconfiguration. Compartmentalizing the entire architecture into important segments can help you to separate various components.
The inappropriate implementation of security controls of a web application results in security misconfiguration. Thus, using smart defensive ways can save you from such a mishappening.
Security misconfiguration is a persistent problem, but awareness of the company’s security policy can minimize the risk. Along with that, releasing regular patches for the application and required network security measures counts as some of the best practices. To outsmart cyber attackers, organizations need to update their security measures from time to time. Otherwise, the repercussions will not only affect the organizations but also impact the customers who blindly trust them.