Security Misconfiguration: Impact, Examples and Prevention
Security misconfiguration occurs when security settings are not adequately defined in the configuration process or maintained and deployed with default settings.
This might impact any layer of the application stack, cloud or network. Misconfigured clouds are a central cause of data breaches, costing organizations millions of dollars.
Vulnerabilities are generally introduced during configuration. Typical misconfiguration vulnerabilities occur with the use of the following:
What’s covered in this article:
A misconfiguration may take place for a variety of reasons. Today’s network infrastructures are intricate and continually changing—organisations might overlook essential security settings, such as network equipment that could still have default configurations.
Even if an organisation has secured configurations for its endpoints, you must still regularly audit security controls and configurations to identify configuration drift. New equipment is added to the network, systems change and patches are applied—all adding to misconfigurations.
Developers may develop network shares and firewall rules for ease, while building software keeping them unchanged. Sometimes, administrators permit configuration modifications for troubleshooting or testing purposes, but these don’t return to the initial state.
Employees often temporarily disable an antivirus if it overrides particular actions (such as running installers) and then fail to remember to re-enable it. It is estimated that over 20% of endpoints have outdated anti-malware or antivirus.
Security misconfigurations can be the result of relatively simple oversights, but can expose an application to attack. In certain instances, misconfiguration may leave information exposed, so a cybercriminal won’t even need to carry out an active attack. The more code and data exposed to users, the bigger the risk for application security.
For example, a misconfigured database server can cause data to be accessible through a basic web search. If this data includes administrator credentials, an attacker may be able to access further data beyond the database, or launch another attack on the company’s servers.
In the case of misconfigured (or absent) security controls on storage devices, huge amounts of sensitive and personal data can be exposed to the general public via the internet. Generally, there is no way of discovering who might have accessed this information before it was secured.
Directory listing is another common issue with web applications, particularly those founded on pre-existing frameworks like WordPress. Users browse and access the file structure freely, so they can easily discover and exploit security vulnerabilities.
If you cannot block access to an application’s structure, attackers can exploit it to modify parts of or reverse-engineer the application. This might be hard to control if an application is meant for delivery to mobile devices. As OWASP notes, switching to mobile applications weakens an organisation’s control over who can view or modify the code. This is because the business and presentation layers of the applications are deployed on a mobile device and not on a proprietary server.
The following are common occurrences in an IT environment that can lead to a security misconfiguration:
Here are a few real- life attacks that caused damage to major organisations, as a result of security misconfigurations:
The initial step you need to take is to learn the features of your system, and to understand each key part of its behaviour.
To achieve this, you must have a real-time and accurate map of your whole infrastructure. This demonstrates communication and flows over your data centre environment, both on-premises or in a hybrid cloud.
When you understand your systems, you can mitigate risks resulting from security misconfiguration by keeping the most essential infrastructure locked. Permit only some authorised users to access the ecosystem.
Here are some efficient ways to minimise security misconfiguration:
NeuraLegion’s Nexploit automates the detection of security misconfiguration and hundreds of other vulnerabilities. The reports come with zero false-positives and clear remediation guidelines for the whole team. Nexploit’s integration with ticketing tools like Jira helps you keep track of all the findings and assigned team members.
Bright Security are no exception, but we we're impressed with their customer portfolio. Here are some of the brands they work with:
AUTOMATED Application Security Testing for SOFTWARE DEVELOPERS
And why they’re crucial
A must-read for DevOps and Cyber Security leaders
Apples and Pears, or on the same side?
Digital transformation is different in every organisation, but a key contingent involves the business implementing new strategies around how they deploy technology and the security required to keep business assets safe
Application security testing can be categorized into three types: black-box, grey-box, and white-box testing.
Bright Security is the industry's first zero-false positive, fully automated AI-DAST platform built for developers and modern development environments.
Sign up for free trial. No credit card required.
The Winning Approach to Microservices Security
NeuraLegion helps significantly improve application security at a lower cost by providing no false-positive, AI-powered DAST & Fuzzer solutions, purpose-built for modern development environments.
Continuing our evaluation of legacy DAST vs Modern DAST, we’ve taken a light-hearted look at the operational and process challenges experienced by DevOps, Cybersecurity teams and QA when preparing Apps for release to the wild
Power and control in the hands of DevOps. Scanning in minutes, not hours
Richard Dickinson, EMEA Sales Director, Bright Security
Delivering stability, control, cost savings and speed to market
Enabling the ‘Shift Left’. FAST
Share this story
Let us know what you think about the article.
We're a community where IT security buyers can engage on their own terms.
We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.