While the impact of security misconfiguration is wide-ranging, it's unfortunately not often given as much weight as phishing, ransomware, malware and other common security vulnerabilities exploited by threat actors. The recent breach with Facebook, Instagram and Twitch have brought the impact of security misconfiguration to light.
Misconfigurations may lead to a massive data breach and result in financial repercussions, such as a temporary loss of business, lost customers due to lack of trust (and thus, lost revenue), and could lead to penalties through litigation and possible regulatory fines. When these hackers wreak havoc on network infrastructure and software, it impairs employee productivity, customer transactions and may even immobilize a business to the point where it can't operate.
The 2021 Verizon Data Breach Investigations Report found misconfigurations across all industries, and although it isn't top of mind for many cyber security teams compared to more frequent types of cyber vulnerabilities, the good news is you can take steps to help make them preventable. Mitigating the impact of security misconfiguration is easier when you have a strong security policy and patch management system in place.
Misconfiguration takes many forms
Security misconfiguration shows up in many ways in software and hardware. For instance, it could be the result of not applying a security policy to a device. Unfortunately, threat actors have various tools to look for common misconfigurations in order to exploit them.
Misconfiguration examples in software, web services and hardware include:
- Running outdated software: This could be as simple as an external website using WordPress with old plugins or desktop software that's no longer supported by the vendor with security updates.
- Not keeping up with patches: Even if the software is the latest and greatest, patching and updating must be kept on schedule. Otherwise, hackers will take advantage of vulnerabilities.
- Inadequate access controls: Not changing default keys and passwords can make it easy for threat actors to gain entry into your network infrastructure, as can failing to remove unused access permissions or user accounts for departed employees. Sometimes, access is set up incorrectly or the rules for accessing applications and data are overly permissive, allowing people access to systems they don't really need.
- Running unnecessary services or features: Running every service available in a software suite or on a server or virtual machine provides more options for threat actors. If no one needs it, shut it off.
- Inadequate remote access controls: With a lot of employees working from home, it's even more important to limit vulnerabilities in remote access software services by using firewalls, virtual private networks (VPNs) and an overall layered approach to security that leverages intrusion detection and zones of permission.
- Inadequate hardware management: Devices such as routers and switches, as well as any workstation, are endpoints that can be used by hackers to gain access to applications and data through unsecured ports and overly permissive network traffic rules. They all need to be patched with updates and firmware as soon as they are made available by the vendor.
Attackers have many tools at their disposal to probe vulnerable systems and home in on a security misconfiguration, which can be found at any level of the application stack—anywhere from web servers to databases and custom code or pre-installed software on a variety of devices.
Some hacking is direct in that threat actors go after a specific target by employing phishing scams, implanting malware or performing other exploits because they know their target's data is worth acquiring. An indirect hack is when user information is stolen from a website where they provided this information, and it can allow a hacker to have access to multiple accounts if the user tends to use the same password and login credentials. It’s also important to note how human error, for instance leaving sensitive data without proper authentication controls open to the public internet, is becoming a more prominent security concern and allows threat actors easy access to do their hacking.
How to mitigate the impact of security misconfiguration
You may not immediately see the impact of security misconfiguration, but there are warning signs to watch for.
Users or administrators may see notifications of multiple login attempts, a device that's installing software on its own, contacts receiving messages the user didn't send and web searches being redirected. The challenge is the average employee may not realize this is a sign their device security has been compromised and that the organization is at risk.
The lack of cyber security knowledge is one of the top causes related to human behavior in breaches. Threat actors are successful in this exploitation because employees are focused on their own work. They may not fully appreciate the need for strong passwords, the danger of using shadow IT or why it's important to follow the rules of handling sensitive data. Creating a culture where every employee is aware of threats to security and able to spot suspicious activity and respond accordingly is essential.
Having the right IT security team in place will help create that culture. The IT security team can put in place strong security policy controls supported by proper patch management and automation where possible. Of course, cyber security analysts aren't able to investigate every anomaly. They need to be in a position where most threats can be remediated automatically and only spend time on significant threats they can escalate and resolve quickly and efficiently.
Because the opportunities for security misconfigurations are plentiful, getting a handle on them may seem like a daunting task. But with the right tools and systems in place, you can protect your organization from cyber threats and reduce the impact of security misconfigurations. A strong security posture can help to prevent misconfiguration vulnerabilities from happening in the first place.
Learn about the impact of security misconfigurations and how establishing a strong security policy for your organization can help reduce risks in the Verizon Data Breach Investigations Report.