3 Reasons Security Misconfiguration is a Top Concern

Security Configuration - If Wrong causes false positives/negatives

3 Reasons Security Misconfiguration is a Top Concern

Security Misconfiguration Might be Your Top Vulnerability

Buying great security products is not enough. Companies must implement best practices security configurations to get the highest level of security possible. Security misconfiguration is often the key reason that a breach occurs. Configurations must be set up securely and adjusted regularly to include recent best practices driven by knowledge of security flaws or recent attacks.

 

3 Reasons Why You Should Focus on Security Configurations

 

1) Security miscellaneous errors are responsible for nearly 20% of all security breaches (per the 2021 Verizon VDBR). Security misconfiguration is about 55% of miscellaneous errors. Security misconfiguration causes can be as high as nearly 80% in information industry companies. Security misconfiguration errors are an especially high percent of the cause of breaches in finance/insurance, healthcare, information, professional services, and public administration industry companies.

 

2) OWASP lists security misconfiguration as their 2021 #5 top application security risk. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

 

3) The CISA, FBI & NSA have three recommendations for heightened security. One of them is “Enhance your organization’s cyber posture”. In that recommendation, they recommend companies “Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses”. The CISA also wrote this report Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services. This document includes best practices for Microsoft 365, server setup, password configurations etc.

 

Top Security Misconfiguration Risks

  • Successful security attacks – via security holes that are not closed
    • Patches not appliedSecurity Misconfiguration has Consequences
    • Security controls not configured to prevent latest threats
    • IT not configured securely
  • False Sense of security – Literally
      • The latest security controls, but not configured securely
  • Security threats ignored – false negatives (Not configured to discover latest threats)
  • Unauthorized user access and therefore uncontrolled access to:
    • Data
    • Applications (especially growing list of cloud apps)
    • IT Systems
  • Unproductive security team – false positives keep team chasing false indicators
  • Key data is not backed up and/or not available to be restoredcatastrophe
  • Unproductive employees
    • Security is too tight, and users can do their jobs
    • Email is uncontrolled and users spend all their time deleting spam or looking for expected emails
    • Systems are down because of security attacks

 

Top Security Misconfiguration Risks by Category

Misconfiguration Risks Required Management Activities
Firewalls
  • Too Tight – restricts employee use
  • Too Loose – Not effective, holes in security
  • Default to blocked unless specific traffic is required
  • Enable security features
  • Define groups to provide granularity
SIEMs
  • False positives – lead to real alerts being ignored
  • Fales negatives from Incomplete policies does not generate appropriate security notifications. Allows attacks to occur
  • SIEMs need constant monitoring & polices tuned
  • Alert threats & attacks must be investigated
  • Remediation recommendations
MFA
  • Unauthorized users gain access
  • Users have access to unintended applications & data
  • Users have access privileges that are not required
  • Proactive authorize, deauthorize users & applications
  • Control User enrollments
  • Force minimum security factors
  • Use MFA for everything (esp. SaaS, network, remote)
  • Setup and manage SSO to make use easier
Endpoint Security
  • Malware is not prevented, detected, or remediated
  • Data is stolen or destroyed
  • Appropriate levels of security by group are enabled
  • Monitoring, alerting, and remediation actions
  • Updates
Backup & DR
  • Key data is not backed up or can’t be restored
  • Properly configure backups and secondary storage
  • Regularly test backups and restore capability
Cloud Application Security
  • Unauthorized users gain access to applications & data
  • Unsanctioned applications used by employees
  • Users have data access privileges that are not required
  • Add SSPM & CASB security
  • Set User access & privilege rights
  • 3rd party application access control
Server Security (Including Pub./priv. cloud)
  • Server data is modified, destroyed, stolen
  • Unauthorized users access data
  • Data/server is unavailable for use
  • Add Zero trust security solutions
  • Server EP protection software
  • Control User access & privilege rights
  • Active Directory & services controls
Email Security
  • Phishing, CEO fraud is not prevented
  • Spam is not controlled & employees are unproductive
  • Malware is introduced into your company
  • Set mail security & filtering thresholds & adjust
  • Define appropriate quarantine actions and user controls
  • Ongoing monitoring and adjust security
Wi-Fi
  • Unauthorized users gain access to your networks
  • User roaming is not effective
  • Network performance is slow
  • Define Wi-Fi networks & purpose
  • Define network access rights by network
  • Define network security including MFA & monitor
  • Define roaming methods
Remote Access Security
  • Unauthorized users access data, apps, systems
  • Data stolen, destroyed
  • Setup secure remote access
  • Setup secure authorization, authentication (MFA+)
  • Setup & maintain user rights and privileges
  • Secure local computers, phones
  • Protect data and retain on servers when possible
M365
  • Unauthorized user access
  • Data is lost, stolen, or destroyed
  • User access & privilege rights
  • Data Storage control (SharePoint…)
Network Access
  • Unauthorized users gain access to your networks
  • Access & privilege rights
  • Up to date active/authorized users
  • Monitor traffic & usage
IT Admin Security
  • Unauthorized admins gain control of everything
  • Unauthorized user activity is undetected
  • Role definitions
  • User management (PAM)
  • Least use access & privilege rights

 

 

Security Misconfiguration Conclusions

  • Security misconfiguration is a significant reason why companies are successfully attacked
  • Security misconfiguration vulnerabilities can be avoided by active security management by an experienced well-staffed team of security experts
  • Your Security is only as secure as the latest security configuration updates made by your team
  • Most companies are understaffed so even if they can install security, they don’t have time to manage them
  • Most IT/security teams are challenged to stay trained on regulation compliance and security product best practices. So Best practices security configurations are difficult to maintain. This exposes security holes that can be exploited by attackers who always attack the latest security vulnerabilities. Most times, vulnerabilities can be avoided by implementing the latest best practices as specified by security product manufacturers and security agencies.

 


Companies need to balance money spent on security products with the staffing of an expert security services team

For many this means outsourcing to a dedicated managed security service company is a good idea


 

Managed Security Provides:

  • Security compliance expertise
  • Security Control Product Expertise – trained on security product best practices
  • 24×7 monitoring, adjusting and maintenance
  • A focus on security best practices – preventing, detecting, and mitigating security threats and attacks

 

Managed Security Benefits include:

  • Much higher levels of security
  • Better ROI on security budget
  • Better visibility on security posture
  • Higher level of compliance with security regulations

 

Contact eSecurity today to discuss how 24×7 managed security can offload your team and enable the highest level of security for your company.

X