OWASP Top 10 2017 – A5 Security Misconfiguration

Security misconfigurations are “holes” or weaknesses within your computer applications that leave your system vulnerable to attack. These misconfigurations allow easy exploitation from threat agents from both inside and outside of your company. The good news is that although misconfigurations are common, they are also easy to detect and fix. But often they aren’t discovered until your system is compromised and the costly damage is done.

Are You at Risk?

Today’s companies are run on multiple platforms, using multiple applications, utilizing multiple servers, any of which can harbor security misconfiguration. Additionally, you are at risk if any of your apps are executed using cloud servers and insecure mobile devices in conjunction with your company’s internal computer platforms, servers and applications. You are also at risk if you make the assumption that your out-of-box computer programs are ready-to-go and secure with company firewalls, or that IT teams are always on top of maintenance when they are often stretched thin with daily issues.

Common Security Misconfigurations

Misconfigurations can occur anywhere on your application stack. Your application stack is simply all the applications required by your company, such as word processing, spreadsheet and database management packages. Your stack also includes your communication programs like email and internal messaging as well as your web browsers. Misconfigurations can occur within those apps, on your web and application servers, any place in your company’s computer system architecture. Here are a few common security misconfigurations:

  • Default system credentials: user accounts, passwords in factory default or unchanged status
  • Directory and file listings: not disabled and easily available through search engines
  • User traces: pages returned to users with error messages that have too much information in them
  • Unnecessary pages: sample apps, old privileges, and user accounts, for example
  • Software: not up-to-date, legacy systems, patches not utilized, orphaned custom code

An important point to remember is that your computer system is multi-layered. If any of those layers aren’t securely assembled, your system can be infiltrated and data can be compromised or stolen all at once or over time and disguised so that you’d never know it is happening. It is imperative to establish multi-layered security protocols and to establish minimum application configuration reviews.

How to Find Security Misconfigurations

Developers and system administrators working together can find security misconfigurations and fix them. This is done through regular use of automated security scans and periodic manual reviews of each application, platform, and server configuration guidelines. Do not assume that if you are not seeing immediate issues that there are no security misconfigurations.

Resolving Security Misconfigurations

Arguably one of the most overlooked security misconfigurations is the default mode, especially in enterprise corporations where there can be hundreds of user interfaces occurring at any given time of the day and night. It’s easy to assume that perimeter firewalls protect your system. That’s a dangerous assumption. Leaving system credentials in factory or user default mode enables attackers to peel away those layers until your critical and other sensitive data is exposed.

Resolution: modify or change factory default credentials before making applications active is a best practice. This is called application hardening. This makes your applications more secure.

Here are some specifics:

  • Be consistent among company departments. Configure common apps identically with strong separation between application architectures. Development, production, and quality should be configured so that data can be accessed as needed, but with individualized passwords and user accounts. This promotes security, accountability and helps trace errors back to particular departments and users.
  • Disable company server directories, archive or delete old files, and get rid of unneeded services. This includes disabling or deleting sample apps that come with your app servers. Also modify your app servers default mode regarding returning user traces to users with error information that they might not understand, but an attacker would.
  • Remove old privileges and user accounts.
  • Update individual software security patches, update legacy systems, get rid of orphaned custom code.
  • Make sure all mobile device defaults are changed accordingly.
  • Immediately change new employee defaults and delete terminated employee user permissions and accounts. This includes mobile devices and cloud access.
  • Monitor outside vendor cloud usage of company data.

Security misconfiguration resolution depends on your company’s unique operating environment. Resolving issues isn’t a one size fits all boxed solution. It is important to keep abreast of new security updates, attend conferences, keeping communication open with vendors, and keeping close track of your company’s mobile devices. Each company is unique and resolving security misconfiguration within your application stacks, platforms, and other architecture should always be tracked carefully and consistently.

For C-levels: Knowledge Helps Mitigate Risk

It is important for C-level admins to understand what security misconfigurations are and what potential impact they have on a company, from the sublime annoyances to the major threats. You need to understand those threats and how to mitigate them, ask questions of your IT team and know what kinds of testing is available. Knowledge and teamwork reduce risk. Understanding also helps you go to bat for your IT teams should they need to update legacy systems, obtain penetration testing or present company-wide user training.

Consistency is Key: Monitor, Apply, Update

After resolving security configurations, don’t assume that it is a one-time deal. Designate one person or a team to keep abreast of changes and issues. Be consistent in monitoring, applying and updating changes and be vigilant in running audits and performing automated and manual scans to avert future security misconfigurations.

Have a look at our OWASP Top 10 2017 posts:

OWASP Top 10 2017 – A1 Injection

OWASP Top 10 2017 – A2 Broken Authentication and Session Management

OWASP Top 10 2017 – A3 Cross Site Scripting (XSS)

OWASP Top 10 2017 – A4 Broken Access Control