Security misconfigurations are “holes” or weaknesses within your computer applications that leave your system vulnerable to attack. These misconfigurations allow easy exploitation from threat agents from both inside and outside of your company. The good news is that although misconfigurations are common, they are also easy to detect and fix. But often they aren’t discovered until your system is compromised and the costly damage is done.
Today’s companies are run on multiple platforms, using multiple applications, utilizing multiple servers, any of which can harbor security misconfiguration. Additionally, you are at risk if any of your apps are executed using cloud servers and insecure mobile devices in conjunction with your company’s internal computer platforms, servers, and applications. You are also at risk if you assume that your out-of-box computer programs are ready-to-go and secure with company firewalls, or that IT teams are always on top of maintenance when they are often stretched thin with daily issues.
Misconfigurations can occur anywhere on your application stack. Your application stack is simply all the applications required by your company, such as word processing, spreadsheet, and database management packages. Your stack also includes your communication programs like email and internal messaging as well as your web browsers. Misconfigurations can occur within those apps, on your web and application servers, any place in your company’s computer system architecture. Here are a few common security misconfigurations:
An important point to remember is that your computer system is multi-layered. If any of those layers aren’t securely assembled, your system can be infiltrated and data can be compromised or stolen all at once or over time and disguised so that you’d never know it is happening. It is imperative to establish multi-layered security protocols and to establish minimum application configuration reviews.
Developers and system administrators working together can find security misconfigurations and fix them. This is done through regular use of automated security scans and periodic manual reviews of each application, platform, and server configuration guidelines. Do not assume that if you are not seeing immediate issues that there are no security misconfigurations.
Arguably one of the most overlooked security misconfigurations is the default mode, especially in enterprise corporations where there can be hundreds of user interfaces occurring at any given time of the day and night. It’s easy to assume that perimeter firewalls protect your system. That’s a dangerous assumption. Leaving system credentials in factory or user default mode enables attackers to peel away those layers until your critical and other sensitive data is exposed.
Resolution: modify or change factory default credentials before making applications active is a best practice. This is called application hardening. This makes your applications more secure.
Here are some specifics:
Security misconfiguration resolution depends on your company’s unique operating environment. Resolving issues isn’t a one size fits all boxed solution. It is important to keep abreast of new security updates, attend conferences, keeping communication open with vendors, and keeping close track of your company’s mobile devices. Each company is unique and resolving security misconfiguration within your application stacks, platforms, and other architecture should always be tracked carefully and consistently.
C-level admins need to understand what security misconfigurations are and what potential impact they have on a company, from the sublime annoyances to the major threats. You need to understand those threats and how to mitigate them, ask questions about your IT team and know what kinds of testing are available. Knowledge and teamwork reduce risk. Understanding also helps you go to bat for your IT teams should they need to update legacy systems, obtain penetration testing or present company-wide user training.
After resolving security configurations, don’t assume that it is a one-time deal. Designate one person or a team to keep abreast of changes and issues. Be consistent in monitoring, applying and updating changes and be vigilant in running audits and performing automated and manual scans to avert future security misconfigurations.
