Welcome back to our ten-part blog series on the OWASP Top Ten list of 2021, where we are taking a light look at the common threats in the digital space that organisations face. In the fifth instalment of the series, today’s focus is on the often-underestimated area of Security Misconfigurations.
What are Security Misconfigurations?
Security misconfigurations occur when security settings are incorrectly defined, implemented, or maintained. Imagine being tasked with installing a fence around a property, only to find that the fence posts are too short, insufficient in number, or blow over with the slightest nudge. In the digital world, this often happens due to default configurations that are insecure, incomplete or non-secure settings, open cloud storage, unnecessary services running, and more. These gaps in your digital “fence” provide attackers with unauthorised access to system data and functionality that should otherwise be out of reach, potentially leading to a data breach.
Common Examples of Security Misconfigurations
- Default Credentials: Leaving default or out-of-the-box usernames and passwords unchanged, which are often easily guessable or well-known.
- Unnecessary Services: Services that should not be running on a system add to the attack surface unnecessarily.
- Incomplete Configurations: Not configuring all security settings or not following best practices.
- Outdated Software: Failing to apply security updates, patches, or using unsupported (end-of-life) software.
- Verbose Error Messages: Displaying detailed error messages containing sensitive information that could aid an attacker.
- Open Cloud Storage: Misconfigured cloud services that lead to unintended data exposures.
- Incorrect Folder Permissions: Failing to set proper file and directory permissions and access controls.
How to Prevent Security Misconfigurations
Preventing security misconfigurations is never a one-and-done process. It benefits greatly from a multi-faceted approach, often involving a combination of process, technology, and ongoing vigilance. It is important to establish a robust policy framework to enable the regular maintenance of systems, possibly using automated tools to enforce these policies effectively.
A proactive approach like this can benefit greatly from continuous training and awareness exercises, ensuring that cyber security is an integral part of your organisational culture. Moving on, let’s take a look at actionable measures to carry out and follow:
- Secure Configuration Standards and Benchmarks
Establish a robust foundation by adhering to secure configuration standards and benchmarks, using guidance from recognised entities such as the National Cyber Security Centre (NCSC) and the Center for Internet Security (CIS). These resources offer a wealth of best practices that can help organisations define and maintain secure configurations across their digital infrastructure.
- Automated Configuration Management Tools
Utilise specialised software to enforce and maintain secure settings across your network. Cloud-specific tools such as AWS Config or Azure Policy help ensure compliance in cloud environments. For monitoring, SIEM tools like Splunk can track configuration changes and alert to potential security issues. Scanning tools like Qualys or Nessus can be helpful for vulnerability and compliance assessments. These tools collectively maintain the integrity of your security posture with minimal manual overhead.
- Regular Auditing and Remediation
Regularly scheduled audits, benchmarked against standards like ISO/IEC 27001, are critical to ensure security configurations remain robust. These comprehensive evaluations should include all environments, from development through to production, ensuring that every aspect of the infrastructure aligns with the requirements outlined by recognised security management frameworks.
- Patch Management Process
Implement a robust patch management process to ensure that all software is up-to-date with the latest security patches. Prioritise patches based on severity and ensure a systematic approach that includes inventory tracking and regular patch deployment cycles.
- Least Privilege Principle
Adopt the principle of least privilege by assigning the minimal necessary access levels to users and systems for task performance. This reduces the attack surface by limiting the reach of potential breaches and restricts data exposure, ensuring access is only as extensive as required for specific roles and functions.
- Error Handling
Ensure your systems are configured to avoid exposing sensitive details in error messages. Instead of specific errors, use generic responses for users, such as “An error has occurred,” and record the detailed error information securely in internal logs. This approach protects against leaking information that could be exploited by an attacker while retaining the necessary data for internal debugging and resolution by relevant members of the team.
- Continuous Security Training
Cybersecurity is a moving target, and continuous training for your development, operations, and security teams is vital. Understanding the latest threats and practices will help mitigate risks.
- Monitoring and Response
Finally, establish continuous monitoring and a rapid response plan. If a misconfiguration does occur, having the ability to detect and respond quickly is crucial in minimising impact.
Locking the Digital Doors
Just as you would not leave your physical doors and windows unlocked, the same vigilance is necessary for your cyber presence. Security misconfigurations can be subtle, creating vulnerabilities that are not always apparent until exploited. By implementing the recommendations above, organisations can reinforce their defences, making it much more challenging for attackers to find a way in.
When conducting penetration tests against a client’s web application, the team at CyberWhite follow the OWASP framework closely. This allows us to check applications against the OWASP Top Ten list, including security misconfigurations as explored in this blog post.