How are Security Misconfigurations Detected, Diagnosed and Determined?
Security misconfigurations, one of the OWASP Top 10 Vulnerabilities, are known to erode the security posture immensely owing to their common occurrence and easy exploitability. When such vulnerabilities are not identified and/or left unaddressed, their lethality is heightened.
A deep dive into the security misconfigurations, their detection, diagnosis, and prevention will be provided in this article.
What are Security Misconfigurations?
When the configurations and security controls for an application/ server/ network or any other layer of the application stack are not properly implemented or are implemented with dangerous gaps and errors by mistake, security misconfiguration vulnerabilities are known to occur.
In the complex and dynamic IT landscape, misconfigurations can arise in any of the multiple layers of the application stack such as the servers, network services, platform, framework, databases, and so on.
- Directory listing is not disabled
- Unpatched software, legacy options, unwanted services, unused pages/features, and unprotected files/ directories, are running on the application
- Debug mode is used in the production environment
- Outbound connections to internet service are enabled
- Unnecessary admin ports are left open
Why Do These Vulnerabilities Occur?
- Human error is at the core of many misconfigurations
- The misconception of ‘don’t fix what is not broken’ has led developers/businesses to leave configurations unchanged even though there is an underlying risk permeating from the vulnerability.
- Default settings/ configurations have been left unchanged by webmasters/ developers. Today, attackers are known to rely on unchanged and insecure default settings/ configurations to orchestrate automated attacks on applications.
- Configurations that were incomplete and meant to be temporary have remained unchanged. In this case, even the application which was safe in the development environment is exposed to a high risk of attacks in the production environment.
- Use of easily exploitable gateways like unpatched software/ components/ libraries/ flaws, outdated options, unnecessary services, rarely used pages/ features, etc.
Newer, more complex, and challenging security misconfigurations are emerging with
- The advent of the hybrid data centers
- Extensive usage of public clouds & third-party components
- Increasingly dynamic and complex applications, OS, frameworks, and workloads that are constantly upgraded/ changed
- Technologically diverse environments
- Firewalls with loosely defined and permissive policies
- Third-party vendors whose offerings lack visibility and/or shared responsibility
How are Security Misconfigurations Detected, Diagnosed, and Determined?
1. Gaining Visibility into the Hybrid and Complex Environment
To effectively prevent misconfigurations and protect the application, organizations must understand what they have in their hybrid and complex environments. This can be done by gaining the right kind of visibility into the environment.
To do so, a real-time map of the entire ecosystem is necessary. All assets and the communication and workflows across the entire environment (including on-premises, hybrid cloud, containers, micro-services, third-party/ external/ shared components) must be inventoried and mapped accurately. This is done using asset discovery scans, security scanning, network diagrams and spreadsheets, and IP databases.
A deep insight into the expected behaviors, performance, and health of the different assets in the infrastructure is made possible by visibility. Potential misconfigurations can also be identified with the gained visibility.
For instance, it is revealed by the real-time communication and flow map that the application is returning verbose error messages containing internal data. Upon deeper diagnosis, it is identified that the debugging mode (used during the development) was not disabled when the application went live. So, the business can fix it before giving a chance to attackers.
2. Scanning and Testing Internally and Externally for Misconfigurations
Once visibility is gained into the environment, assets, expected behavior, communication, and workflows, the application and all its assets need to be scanned thoroughly to identify security misconfigurations. Known misconfigurations are easily identified by intelligent, automated scanners, such as those from AppTrana. Testing is imperative to identify unknown vulnerabilities and the exploitability of all (known and unknown) vulnerabilities.
3. Prevention of Misconfigurations
After gaining full visibility into the environment, and detecting and determining the risk of security misconfigurations, the critical assets and infrastructure must be identified.
Unnecessary communication with the critical infrastructure must be blocked with a micro-segmentation approach. So, even if any vulnerabilities are exploited, the attackers will not gain access to sensitive information or critical assets.
Further, necessary steps must be taken to mitigate the misconfigurations and strengthen the security posture. For instance, updating software, removing legacy and unused features, changing default configurations, and so on.
With several different variations and combinations possible, the success rate of attacks that are orchestrated by exploiting security misconfiguration vulnerabilities is high. Given the criticality of web application security and data privacy & confidentiality, the proactive detection and mitigation of security misconfigurations is a matter of business continuity. Remember the process of detecting and mitigating of such misconfigurations is not a one-time action and must be repeated regularly to ensure a robust security posture.