Resolving Top Security Misconfigurations: What you need to know

One of the most common factors that can lead to cybersecurity incidents is a security misconfiguration in software or application settings. The default settings that come with the implementation of these tools and solutions are often not configured securely, and many organizations do not invest the time and resources into ensuring that they are.

Several regulatory organizations have established standards for avoiding security misconfigurations in order to prevent cyberattacks and accidental security breaches, maintain compliance with regulations, and strengthen the overall cybersecurity posture of any business. Cyber Security Hub recently recorded a webinar with Fortra’s Tyler Reguly about the top security misconfigurations to watch out for.

Industry Standards and Organizations

Some of the industry frameworks and regulations that have guidance around misconfigurations include:

• The Center for Internet Security (CIS) is a community-driven nonprofit organization, known mainly for the CIS Controls and CIS Benchmarks. There are 18 Critical Security Controls and 639 published benchmarks, as well as other resources provided by CIS, including hardened operating system images, CIS RAM (Risk Assessment Method), and Information Sharing and Analysis Centers.
• MITRE, another nonprofit, was established in an effort to advance national security and serve public interest. MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base created to make awareness of cybercriminal activity the threat landscape globally accessible, used as a foundation for developing threat models and methodologies.
• The Defense Information Systems Agency (DISA), the IT provider for the Department of Defense, has established Security Technical Implementation Guides (DISA STIGs) developed by the DISA Risk Management Executive in order to give the DoD operationally implementable secure configuration guidance.
• The National Institute of Standards and Technology (NIST) has SP 800-53, a special publication breaking down security and privacy controls for information systems and organizations, sorted into 20 families. NIST developed this publication to fulfill certain new responsibilities mandated for the institute by the Federal Information Security Modernization Act (FISMA) in an effort to establish and maintain compliance.

Top Cybersecurity Misconfigurations

In an effort to help organizations and developers understand the most prevalent security misconfigurations to watch out for, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) red and blue teams have put together a list of the top ten cybersecurity misconfigurations. These misconfigurations have the potential to cause severe damage to businesses and even national security, so the list has been developed as “a plea for network defenders and software manufacturers to fix common problems.”

1. Default configurations of software and applications: using the built-in settings of software rather than customizing settings for optimal security.
2. Improper separation of user/administrator privilege: combining access and permissions, granting users unnecessary access to sensitive data.
3. Insufficient internal network monitoring: lack of oversight of internal networks.
4. Lack of network segmentation: network access enabling users to enter sensitive areas without additional authentication.
5. Poor patch management: inadequate updates and patches for security vulnerabilities.
6. Bypass of system access controls: leaving certain permissions open to reduce management load.
7. Weak or misconfigured multifactor authentication (MFA) methods: bypassing MFA or configuring it insecurely.
8. Insufficient access control lists (ACLs) on network shares and services: allowing users more access control permissions than necessary.
9. Poor credential hygiene: insufficient requirements for credentials such as password complexity.
10. Unrestricted code execution: allowing unrecognized code to run on devices without scanning for viruses or malware.

Tools to Prepare

There are a number of ways that organizations can prepare for and prevent security misconfigurations and the risks that arise from them. As is often the case, knowledge is foundational to security and defense. Organizations must understand the problems at hand, the best methods for preventing those problems, and the most efficient way to establish secure practices using the resources available.

First, it is vital to be aware of the various benchmarks, standards, and policies developed by industry experts and regulatory entities in order to aid in secure configuration. There are many resources for learning this information in different formats. Organizations are encouraged to read the official documentation, enroll in training courses, and attend vendor webinars.

It is also important to establish an understanding of the company resources at your disposal. This comes down to people, money, and tools. Each organization has its own expertise, budget, and arsenal of tools, and finding a balance between these resources is an essential part of ensuring security. Organizations with fewer people, for example, may have to use tools that are simpler, as complex tools require more management.

Conclusion

Security misconfigurations are some of the most common vulnerabilities that bad actors take advantage of in order to infiltrate organizations and launch attacks. These misconfigurations arise largely from a lack of understanding of the risks and dangers associated with improperly configured security settings. Security misconfigurations can lead to malware and ransomware, data breaches, and a wide range of other major security incidents.

Fortra’s Security Configuration Management (SCM) solution, Tripwire Enterprise, accounts for the most common problems and uses a process of asset discovery, baselining, change management, policy enforcement, and reporting and remediation in order to minimize security misconfigurations, prevent attacks, and maintain compliance.