In 2019, security researcher Avinash Jain found a security misconfiguration in Atlassian JIRA, a project management software used by more than 100,000 organizations and government agencies worldwide.
The error allowed him to access a vast amount of sensitive data at these organizations, including employees’ names, email addresses, and confidential details about internal secret projects. A few days after the error was discovered, an Atlassian community member published a post about how affected companies could fix it.
The JIRA misconfiguration error would have allowed anyone to access the sensitive information with a simple search query. Unfortunately, such errors are common and leave thousands of organizations vulnerable to serious cyberattacks and data breaches. Configuration errors were responsible for almost one-third of data breaches in 2021 and are expected to cause 99 percent of all firewall breaches through 2023.
Needless to say, your organization must pay more attention to this serious problem.
So what is a security misconfiguration? How can your organization find, fix, and avoid security misconfiguration errors? This guide will explore those issues.
What Is a Security Misconfiguration?
A security misconfiguration arises when essential security settings are either not implemented or implemented with errors. Such errors create dangerous security gaps that leave the application and its data (and thus the organization itself) open to a cyber attack or breach.
These errors can happen at any level of the application stack, including:
- Web or application servers
- Databases
- Network services
- Custom code
- Development platforms and frameworks
- Storage
- Virtual machines
- Cloud containers
What Causes Security Misconfigurations?
A majority of configuration errors happen because system administrators fail to change the default configuration (or “out of the box” account settings) of a device or application.
For instance, a webmaster might retain the default configuration on a CMS application. Many automated attacks on these platforms rely on these default settings. Changing these settings can minimize the probability of attack. Leaving a temporary configuration in place can also result in misconfigurations and vulnerabilities.
Some other common causes of security misconfiguration errors are:
Unpatched flaws
Threat actors exploit unpatched or outdated software to gain unauthorized access to an enterprise system’s functions or data. Sometimes the open vulnerability may even result in a complete system compromise.
Unused pages and unnecessary services/features
Unused pages and unnecessary features or services also allow attackers to gain unauthorized access to an enterprise application or device. If left unchecked, these issues may result in serious problems such as command injections, brute force attacks, and credential stuffing attacks.
Inadequate access controls
Threat actors can gain entry into the network infrastructure by using default passwords, unused user accounts, or unused access permissions that admins did not update or remove. Overly permissive access rules also allow adversaries to cause all kinds of chaos, including malware attacks and data compromise.
Unprotected files and directories
Files and directories that are unprotected by strong security controls are vulnerable to cyberattacks. Attackers can identify platforms and applications that use easy-to-guess names and locations to garner valuable system information and orchestrate targeted attacks.
Predictable file names and locations can also expose admin interfaces and allow the adversary to get privileged access, configuration details or business logic, and even add, remove, or modify application functionality.
Poor coding practices and using vulnerable XML files
Many security misconfigurations can occur in Java web.xml files. Custom error pages or SSL may not be configured, or the code may be missing web-based access controls.
Coding errors may allow attackers to access parts of web applications via non-SSL and launch session hijacking attacks. Using URL parameters for session tracking or not setting a session timeout may also result in these attacks. Similarly, cookies without the HttpOnly flag can increase the possibility of cross-site scripting (XSS) attacks.
Disabled antivirus
Sometimes users temporarily disable the antivirus if antivirus overrides a particular action, such as running an installer. Once the user completes the installation, if he or she forgets to reactivate the antivirus, that leaves the organization vulnerable to hacks and data breaches.
Inadequate hardware management
Hackers use devices such as routers, switches, and endpoints to access enterprise applications and data by exploiting unsecured ports, overly permissive network traffic rules, and inadequately patched and maintained hardware.
The Impact of Security Configuration Errors
Configuration errors create security weaknesses that leave an open door for hackers and cybercriminals. Here’s how such errors can harm organizations.
Exposure of sensitive data
Configuration errors almost always result in unauthorized access to sensitive information. One reason is that nearly 73 percent of organizations have at least one critical security misconfiguration that could expose sensitive data, systems, or services to adversaries.
Directory traversal attacks
Directory listing in a web application allows threat actors to browse and freely access the file structure and discover its security vulnerabilities. They can exploit these vulnerabilities to modify parts of the application and even reverse-engineer it.
Attacks on mobile applications
According to OWASP, configuration mistakes are a serious problem with mobile applications because the business and presentation layers are not deployed on a proprietary server under the organization’s control. Instead, the code is deployed on a mobile device that an attacker can physically access, modify, or reverse-engineer.
Remote attacks
Some critical misconfigurations allow attackers to access servers remotely and disable network and information security controls such as firewalls and VPNs. Unused open administration ports also expose the application to remote attacks.
Unauthorized connections to the enterprise
Sometimes legacy applications try to communicate with non-existent applications. That creates a security gap that allows attackers to establish a connection to the enterprise IT ecosystem.
Cloud misconfiguration errors
Cloud misconfiguration errors are increasing, creating numerous security challenges for organizations. As many as 70 percent of security challenges in the cloud are due to misconfigurations, resulting in unauthorized application access.
These errors may also lead to the exposure of mission-critical information, loss of business, regulatory fines and other penalties, and massive financial and reputational harm.
How Organizations can Avoid Security Configuration Errors
Security configuration errors are a widespread problem that can occur in any network, system, device, or application. Organizations can avoid them or minimize the chance of occurrence by following these best practices.
Watch out for red flags
Configuration errors usually create warning signals that admins and developers should watch for. Red flags include notifications of multiple login attempts, devices that self-install software, and users’ web searches being redirected to unexpected websites. All these events usually point to compromised devices or application security.
Regularly patch all devices and software
Regular security patches and updates are vital to find and fix configuration errors. Admins can also patch a golden image (that is, a virtual machine configured correctly) and deploy it into the entire environment.
Strengthen remote access controls
A layered remote security approach with intrusion detection systems, permission zones, firewalls, and virtual private networks (VPNs) can limit the vulnerabilities created by remote users. In general, all files and directories in both on-premise data centers and cloud environments must have strong access controls on a need-to-have basis.
Provide cybersecurity training to all users
A lack of cybersecurity knowledge results in insecure practices and human errors, which increase the risk of breaches. Employees must be trained about the need for strong passwords, the dangers of shadow IT, and the rules for handling sensitive data. A strong security culture is also vital to improve awareness of security threats, suspicious activities, and appropriate threat responses.
Follow secure coding practices
Secure coding practices are essential to prevent misconfiguration issues. Developers must assure proper input/output data validation in the code, configure custom error pages and SSL, set a session timeout, never bypass authentication and authorization, and avoid using URL parameters for session tracking.
It’s also good practice to run custom static code through a security scanner before integrating it into the production environment.
Some other ways to avoid security misconfiguration errors are:
- Regularly monitor web application security and vulnerabilities
- Define and monitor non-default security settings for apps and programs
- Remove unused applications, programs, and features
- Change all default accounts, usernames, and passwords
- Develop an application architecture with secure separation of elements
- Encrypt data-at-rest and data-in-transit
Reciprocity ROAR Helps Protect Your Organization from Vulnerabilities
You can protect your organization from many vulnerabilities by identifying where misconfiguration errors occur. For such visibility, you need a tool like Reciprocity ROAR.
ROAR reveals information security risk across your business. See where security configuration and other errors are occurring so you can take quick action to minimize and manage vulnerabilities and minimize business exposure.
With Reciprocity ROAR, you can simplify threat and risk management, compliance, audits, governance, and even policy management – all from one centralized application. Manage risk and compliance easily and guide your organization to greater operational confidence. Schedule a demo to discover the full power of ROAR.
