What is a security misconfiguration?
A security misconfiguration occurs when system or application configuration settings are missing or are erroneously implemented, allowing unauthorized access. Common security misconfigurations can occur as a result of leaving default settings unchanged, erroneous configuration changes or other technical issues. They can occur in applications, cloud infrastructure, networks and elsewhere. Misconfigurations are widely regarded as the top cloud vulnerability.
To better understand what a security misconfiguration is, let’s look at an analogy and a real life example. Here is the analogy:
Consider that there is a large bank. It has all the modern security controls at the main entrance: a metal detector, an x-ray scanner for belongings, security cameras, security guards at and around the gate and additional security resources on call if needed. The layered security arrangements at the gate makes it difficult for anyone with malicious intent to enter the main entrance of the bank. However, in the same bank, there’s an elevator that connects the bank to the parking lot. The only security at the parking lot entrance is an unarmed guard. This unarmed guard could prove to be a weak link and provide a way for an intruder to barge into the bank. The unarmed guard can be thought as quite akin to a security misconfiguration. How can the bank fix this misconfiguration? It can do so by applying some of the rigorous security measures it uses at its main entrance in the garage.
Now, a real-life example:
In 2017, the Australian Broadcasting Corporation (ABC) suffered a data breach. Kromtech, a security outfit, revealed that they had identified a trove of sensitive ABC data, including emails, logins, hashed passwords, and MySQL backups from the last couple of years. The reason for this data breach was a poorly secured public-facing Amazon Web Services (AWS) S3 bucket. The misconfiguration in the AWS S3 bucket was detected just a week after AWS introduced new S3 encryption and security features. These settings seemed to have been overlooked as a part of ABC’s S3 configurations.
Why do security misconfigurations occur?
Security misconfigurations are caused by a variety of issues. Here are eight common issues:
Human error
A significant number of security misconfigurations happen due to human error. For example, Bob Diachenko, Kromtech’s chief communication officer, shared his thoughts post the ABC breach:
The most unfortunate part is that the issue occurred due to human error and not a malicious attack. It seems like every few days there is yet another data breach, ransomware threat or a new security flaw and companies or organizations must do more to be proactive in how they store sensitive data online.
Poor or weak encryption
The lack of encryption for data at rest and/or data in transit in applications or cloud instances can potentially expose confidential information. For example, an administrator may overlook configuring a cloud provider’s native encryption solution or they may misconfigure key management for data at rest.
Excess privilege
Excess privilege happens if an employee or a contractor is given more administrative rights or access than what is required for their job. For example, someone could be given excessive data access permissions for cloud storage containers. This often happens when an employee has moved roles within the organization, is a new hire but had privileges mirrored from an incorrect account, or has left the organization but didn’t have their access revoked in a timely manner.
Misconfigured logging
Misconfigured logging happens as a result of logging settings being set incorrectly for an application, system or network. This type of misconfiguration could occur in a cloud network where logging is turned off, when there isn’t enough storage to capture logs or when logs capture insufficient information. In these situations, the effectiveness of using logs to detect network intrusions could be impacted.
Improper versioning
Misconfigurations due to improper versioning typically happen in storage applications. Versioning is typically used as an extra layer of data protection and/or data retention. For instance, in Amazon S3, versioning is a means of keeping multiple variants of an object in the same bucket. If object versioning disabled in S3 buckets due to a misconfiguration, you may not be able to preserve and recover overwritten and deleted S3 objects.
Insecure services
Applications, whether they are on-premises or hosted in a cloud, should be configured to have secure authentication and data exchange. An example of an insecure service is when SSL has not been configured appropriately. Another example is when a service has been set to exchange credentials in plain text form.
Misconfigurations related to security tools
Security tools can also be the source of misconfigurations. Security tool misconfigurations could occur if a user does not install the latest signature files of an anti-malware tool, a user fails to enable antivirus software, a firewall is accidentally disabled or ports are left open on a firewall.
Using out-of-the-box settings
Out-of-the-box settings are typically configured to provide a good user experience. However, leaving out-of-the-box settings unchanged can also sometimes allow them to be easily exploited. Attackers can take advantage of default passwords, ports that are open by default or unused user accounts.
The impact of security misconfigurations attacks
Security misconfigurations allow attackers to gain unauthorized access to networks, systems and data, which in turn can cause significant monetary and reputational damage to your organization.
What makes security misconfigurations so dangerous is that they can occur in many locations in your environment, including (but not limited to) the application stack, cloud services, the network layer, web and application servers, databases, virtual machines, containers, storage and in code.
The most recent Open Web Application Security Project (OWASP) Top 10 list places security misconfiguration errors at number six on the list. This is not surprising as security misconfigurations have been a consistent member of the top 10 list for many years.
They have also become the most important source of insecurity in the cloud, as outlined in the 2022 Cybersecurity Insiders Cloud Security report:
This year misconfigurations (23%) have clinched the top position as the number one security-related incident, surpassing exposed data by user (15%) and account compromise (15%) from last year.
The following real life examples illustrate the impact of security misconfigurations in greater detail.
Security misconfiguration examples
In 2021, Nissan, a Japanese multinational automobile manufacturer, had some source code leaked online. A Swiss security researcher discovered that it was due to misconfiguration of a company Git server. The Git server was left exposed online with a default username and password of admin/admin.
Earlier, in May 2020, Mercedes-Benz experienced a similar breach. The Git server of Daimler AG, the company that owns the Mercedes-Benz brand, was compromised by a straightforward Google Dorking operation, an attacker technique that involves using search engines to find security flaws in publicly accessible servers.
Another example of an incident due to excess privileges was Shopify’s 2020 breach. It was caused by malicious insiders: two individuals of its support team. These individuals collaborated to steal transaction records containing information related to customer emails, names, addresses, and orders. The workers had permission to access its internal network to service customers but weren’t authorized to access the network for any other purpose. One co-conspirator stole merchant and customer data by taking screenshots of the data and by uploading the data to cloud storage.
The Atlassian JIRA data exposure incident in 2019 was one of the most significant exploits of a misconfiguration. JIRA project management software is used by 100,000 plus organizations. The misconfiguration issue was due to permissions being wrongfully assigned when a user created a filter or dashboard in JIRA. By default, access was set to “All users” and “Everyone” (public). Additionally, due to an authorization misconfiguration, the user selection feature listed every user’s username and email address. The exposed data could have provided attackers with access to a broad range of information including employee roles, employee names, email ids, upcoming milestones, secret projects, and features.
How to prevent security misconfigurations
Given that human error is the primary cause of security misconfigurations, one of the best strategies for prevention is to help employees make wise judgements and be more proactive in anticipating and catching misconfigurations early. Continuous education and training can be especially helpful.
However, while training is a good starting-point, it alone is not sufficient. You should be monitoring your environment for misconfigurations on an ongoing basis. This is no longer a human scale task due to the explosion of the attack surface and the huge range of potential security misconfigurations.
There are a number of ways that the Balbix Security Cloud can help you minimize the risk pertaining to misconfigurations:
- A comprehensive asset inventory: You can’t protect what you don’t know about. Your enterprise is constantly changing with devices and apps being added, reconfigured and retired. The lack of a unified up-to-date inventory can make cyber-risk management very difficult. This is where Balbix’s cyber asset attack surface management (CAASM) solution can help. CAASM is an emerging technology area that assists security teams to overcome asset visibility and exposure challenges. Balbix’s CAASM solution provides you with a comprehensive view of all your assets by ingesting, deduplicating and correlating data from your deployed IT and security tools.
- An inventory of your software bill of materials (SBOM): Traditional inventories only include devices and the software running on them. But since many security misconfigurations happen at application level, it has become imperative that you have visibility into not only your software inventory but also into the SBOM for operating systems and applications. Balbix provides a comprehensive SBOM, updated in real-time.
- The automatic detection of misconfigurations: Vulnerability assessment should involve much more than the identification of unpatched software vulnerabilities and simple configuration issues. Balbix’s Risk Based Vulnerability Management (RVBM) solution helps you to prioritize and mitigate vulnerabilities, including misconfigurations, before they can be exploited.
