In our third week from the series “What makes a website vulnerable?” we will share with you some useful insights about security misconfigurations.
In the recent years there has been a growing trend of breaches generated by bad configuration – nearly 70% of the compromised data.
So, what are security misconfigurations and how can we avoid them?
First of all, every layer of a website’s architecture involves the implementation of a configuration. Therefore, we will have corresponding configuration for:
- operating system (e.g. Windows, Linux);
- application (software components that hold the website);
- library (developer’s own code);
- the website itself.
As you probably already guessed, the incorrect configuration is a widespread problem that may occur in each and every of the aforementioned layers and that, inevitably, entails preventive actions on multiple levels.
When it comes to servers, some typical misconfigurations imply having unnecessary or unused services enabled, using default accounts and passwords, incomplete or default configurations that have never been changed, bad configuration of the SSL certificates and of the encryption settings. All these misconfigurations are most often sensed and discovered by the hackers, who can easily gain access to the sensitive data.
A misconfiguration of the firewalls is particularly dangerous because a firewall which allows unauthorised hosts to connect to the server (s a result of the incorrect configuration) it actually may allow an attacker to gain control over the server.
One of the most common problems when we talk about misconfiguration of the operating system is the weak password policy. Dictionary words can be brute forced, so weak passwords shall be easily guessed. Moreover, simple passwords of the administrative accounts can indicate that other systems have weak credential. Do not forget: with a simple search on the internet you can obtain all known default passwords for the administrative and manager accounts! Other examples of bad configuration of the operating system are the absence of the regular updates (that provide vulnerabilities patches and avoid breaches), same level of access granted to everyone (all the members of the company have access to full data) or standard system logging left at default or disabled. The administrator of the system has the responsibility to patch to update the system and patch the vulnerabilities.
Continuing our list with the misconfiguration of applications, it should be emphasize that many applications come with unnecessary features (e.g. ports, pages, accounts, privileges) which have known security flaws. Also, often the security settings are not set to secure values, the cloud services have improper configured permissions, not all the security controls are implemented or are implemented with errors.
When we talk about the developer’s code, programmers must apply security measures to avoid access to confidential resources. Even if the developer implements secure coding practices, it’s the responsibility of the integration team to properly integrate the application into production.
As you can see, the vulnerabilities generated by misconfiguration are not identified in a solely source, so their avoidance require teamwork (of developers, administrators and management).
In order to ensure a proper configuration, it is recommendable to:
- keep softwares up to date;
- disable default accounts;
- implement a strong password policy;
- enforce strong acces controls;
- ensure the encryption of data;
- perform regular penetration tests to find your misconfigurations and to be sure that all the detected vulnerabilities were properly patched.