Security misconfigurations are a common and often overlooked threat to organizations. These errors or omissions in the security configuration can leave organizations vulnerable to cyberattacks, potentially leading to the loss or theft of sensitive data, damage to the organization’s reputation, and financial losses. Properly configuring security systems is essential to reducing the risk exposure and minimizing the business impact of attacks.
We have all seen a wide range of security misconfigurations that can expose organizations to risks. An overly permissive user account with exposed or compromised credentials allows attackers to access the organization’s infrastructure or steal data. Cloud instances that were left open and unprotected, allowing attackers to use them as entry points into an organization’s network.
Below, we will review the five most common security misconfigurations as spotted by Veriti:
- Enable the technology but create an exemption to disable it
- Partial enforcement scope
- Settle for predefined policies
- Blocking security updates
Let’s review them and understand how organizations can prevent and mitigate them.
Enable the technology but create an exemption to disable it
Implementing a cyber security technology can be challenging, but once in place, it can provide valuable protection against potential threats. However, exemptions to these protections may be necessary in some cases to allow specific processes or business applications to function properly. Not managing those exemptions carefully, could create security risks by leaving areas of the organization unprotected.
To avoid this issue, it is essential to implement strict procedures for creating and managing exemptions and regularly review and audit existing exemptions to ensure they are still necessary and do not create unnecessary security risks. By taking these steps, organizations can ensure that their cyber security technology is providing effective protection from potential threats.
Partial Enforcement Scope
Implementing a security technology to the fullest is a process that takes time. You can never be too hasty when it comes to the organization’s applications, hosts, and assets. Thus, moving gradually is only a reasonable way to avoid damaging business impact. So you start scope by scope, one group of users after the other, or feature by feature. In many cases, organizations may not be aware of the current status of security enforcement. We have seen many cases where organizations got breached after deploying intrusion prevention technology, but only on specific zones or interfaces, leaving the rest of the organization vulnerable.
Every security organization should continually review its security plan to ensure alignment with the current state of implementation and make any necessary adjustments to ensure that it is effective and relevant.
Settle for predefined security profiles
Security vendors are doing their best to maximize security in the organization while ensuring no business downtime. However, it is essential to carefully consider using pre-defined security profiles from vendors. These profiles may not adequately address your organization’s specific needs and vulnerabilities. You can have all the security controls in place but use the vendor’s pre-defined profile that only alerts on malicious connections rather than block them, ultimately putting the business at risk. Furthermore, security vendors may change the defining parameters of their pre-defined profiles over time risk, severity, and confidence levels). But this can be too little and too late to take into consideration and prevent damage to your organization.
To ensure the best level of protection for your business, consider creating customized security profiles tailored to your organization’s specific needs using continuous monitoring and analysis of your current cyber threats.
Blocking security Products’ updates
In most cases, security vendors can block up to 99% of cyber attacks on an organization. This requires constantly updating all security controls and prevention engines. However, we see many instances where the security vendors inadvertently block each other’s updates.
One potential reason for this is that the update package of one vendor may not be encrypted, allowing another vendor to scan the file and block it from updating the other security vendor. Additionally, when SSL/HTTPS Inspection is enabled, update services may be dropped due to an ‘untrusted certificate’ error.
Set a cyber hygiene strategy to ensure that security products are up to date. It is essential for the organization to frequently get the latest information from the vendor and use encrypted files for updates.
Logs indicating unsuccessful updates may be available, but it is not typically the responsibility of the security operations center (SOC), infrastructure security, or the endpoint team to analyze them daily.
Enabling risky security protocols across organization assets
Securing your organization’s assets is essential, and one way to do this is by blocking specific protocols that could pose a risk. These protocols include RDP, SCP, FTP, and SMB, and they should only be allowed in specific scopes of the organization. However, it’s essential to regularly check for misconfigurations that might allow the use of these protocols in other scopes. This could allow attackers to move laterally and exploit vulnerabilities.
To help with this, consider implementing an analysis process that can identify any hosts or servers connecting to one another due to misconfigurations. This process can help expose any “lateral movement paths” that an attacker could potentially exploit
Summary
Effective security requires a proactive approach that takes into account the constantly evolving landscape of cyber threats. To adequately address security misconfigurations and reduce risk exposure, organizations must implement a comprehensive security strategy that goes beyond simply following best practices. This strategy should involve mapping out all security configurations and continually aligning them with the organization’s current threat map. By regularly reviewing and updating security configurations in this way, organizations can maintain strong cyber hygiene and better protect themselves against potential threats.
