Post Pages

The OWASP TOP 10 – Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Security misconfiguration is an extensive topic that covers many vulnerabilities within it from various sources. It may include hardware, software, application environment, network, and any other associated front-end or backend system, which are taking part in rendering intended application services. The misconfiguration of systems can be an easy lead to let hackers into your system, so it’s important to understand the risks.

This article is aligned to provide an overarching view of security misconfiguration in the context of web applications and covers basic steps to make sure Computer systems/applications have operational security.

Considerations for Deployment

It’s important to configure software for security once it’s installed rather than keeping its default settings. For this system administrator need to manage the software and its environment consider but not limited to the following:

Hardening – How is the system configured, and is it secure? Did the system administrator disable unnecessary services and restrict the operating system against possible attacks? Refer CRCE detailed knowledge Page to know more about Operating System Secure Implementation and Operations.

Environment configuration – Is the environment properly managed? Is it configured to only allow authorized individuals? Let’s take a closer look at these topics to make sure our software is operationally secure once it’s been deployed.

Building the Minimum Security Baseline

Misconfiguration Problems

Promoting security best practices is key to building a stronger culture of security. This starts with configuring your software and its environment correctly. Below are some common misconfigurations which are seen so frequently in implementations.

  • A common problem with misconfiguration is using default settings. This can be a security risk because software often ships with the assumption that users will change those default passwords and settings.
  • Another problem is when unused services remain enabled. If these services aren’t being used, they can also be a security risk.
  • The configuration of applications in your environment applies to not only software, but servers, network devices, and more.
  • Poor account management leads to credentials left in their default configuration. It’s important to know that these credentials can apply to more than just passwords. They can apply to user account names, API tokens, and salts as well. Default credentials for user accounts can end up being a risk because they tend to be the same, and they can be found online.
  • While most organizations have a central system like Microsoft Active Directory (AD) to manage users, not all operating systems support it. Across all environments, admins and business owners need to consider the management of permissions, user accounts, and weak credentials.
  • Verbose error messages are another common misconfiguration. Error messages can give too much information away.

Countermeasures against Security Misconfiguration

Streamline Configuration activities

Ensuring a secure and consistent environment between development, test, and production systems requires the right configuration activities. These include disabling test or guest accounts, disabling unnecessary services, explicitly assigning restrictive access rights, and ensuring you have a configuration database.

  • Test Accounts – Accounts should follow the principle of least privilege, and any test or guest accounts on the server should be disabled or removed.
  • Services – If you don’t need network or system services installed, make sure you remove them. Active services that are not in use are easy targets because nobody is likely to maintain them.
  • Access Rights – Each access right should be carefully granted and denied by default. This should be in place for all of the development, test, and production environments.
  • Configuration DB (CMDB) – Having a way to consistently deploy standard configuration across your organization helps to keep systems secure. Most CMDBs will contain documentation, tests, implementation tools, and more to help deploy systems securely.

Perform Rigorous Hardening

Hardening is the process of locking down a system to the most restrictive state, with which it can also able to perform intended functions and deliver services. This tends to deal with locking down the hardware, OS services, and installed server software.

Hardware and systems – We harden hardware and operating systems by locking them down to the most restrictive level possible. This is called a minimum security baseline (MSB). The baseline can be unique to each organization based on policy or follow an industry standard. The goal with the MSB is that each newly deployed system is secure by default through a repeatable, less error-prone system image.

Operating system services – Operating systems by default run services that you don’t need and may even be insecure. For instance, a web server, or FTP client might run by default, providing hackers an entry point into your system. Hardening services involves disabling or removing services that may provide access to the OS. This also includes disabling or restricting access to guest and default accounts that tend to come bundled with services. Refer CRCE detailed knowledge Page to know more about Operating System Secure Implementation and Operations.

Software – The final step is to ensure that your software is developed with security in mind and does not leave any room for hackers to breach it. There are several guides widely available that you can use to harden your software and keep it up to date.

Standardizing Builds

Consistency is also a security issue. Imagine having to deploy all of the servers and workstations in an organization. How would you manage those systems if they were all configured slightly differently each time? To address this, create a standard build, or automated configuration script, with fully patched software that helps reduce human error. The idea is to build once and deploy many so that all systems are at least at a security hardening baseline that’s acceptable to the business. A big part of having a standard build is to reduce the chances of human error, which easily bubbles to the top when people are forced to do repetitive tasks. A baseline, especially one that’s periodically reviewed and updated, will go a long way to helping ensure consistency between servers and environments and making it less likely to encounter security misconfiguration.

Regular Patch Management & Audits

Much like deploying multiple servers, having a good inventory of systems can be a challenge. This is especially true when it comes to maintaining those systems after you build them.

Manually patching systems can be risky and lead to systems being forgotten, which can then be easily exploited by hackers. With this in mind, a central patch management server can go a long way in keeping your systems updated. The central server can push out patches and help report systems that are not compliant with your patching strategy. Without centralized management, manually doing this would be tiring and prone to errors.

When combined with periodic audits to inspect system compliance, centralized management can ensure that your systems are working effectively, and also help identify areas that may need improvement.

Control Generic Error Messages

Use generic errors that provide as little information as possible. Sometimes it can be tricky to balance a user-friendly experience with security, but as long you’re responsible for what information you reveal to users, you can achieve both.

Key Take Away from this Article

In summary, security misconfiguration is a broad topic but comes down to ensuring that systems and software are configured with secure settings. This often comes down to simple precautions, such as limiting the amount of information your system discloses to attackers. It can also relate to hardening servers and ensuring that your system and software are consistently secured across your applications and environments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: