than half (53 percent) of organizations that use cloud storage services like Amazon S3 admitted to accidentally exposing at least one such service to the public. Meanwhile, in OWASPS’s annual list of the top 10 most ap- plication security risks, security misconfigu- ration was ranked in the top five.
As more organizations move operations to the cloud, security misconfigurations are attackers’ “low hanging fruit” and among the most frequent loopholes that they lever- age to gain easy access to an organization. For this reason, both the SANS Institute and the Council on Cybersecurity (CCS) recommend that once organizations create an inventory of hardware and software, the most important security control is securing configurations.
So, why are these misconfigurations so common? Security misconfigurations are easy mistakes to make. Cloud vendors have worked to make access configurations as flexible as possible, but that has also made it very easy to inadvertently expose cloud environments (buckets) and the data inside them. These buckets can be accessed simply through a URL, as long as the user has the appropriate permissions.
Misconfiguration is also more likely to occur during the process of changes to secu- rity; for instance, when new rules are added to a cloud environment, or when the existing rules are being altered or replaced. They can occur at any level of the application stack— the platform, web server, database, frame- work, and custom code.
It is also common for attackers to take advantage of poorly configured devices, such as those using default passwords. Attackers are looking for systems that have default set- tings that are immediately vulnerable, and once an attacker exploits a system, they can start making changes and exfiltrating data. If there is a small error in a security system, for instance, the use of default settings or un- hardened security, it could provide access to an unauthorized, and potentially malicious third-party.
Preventing Security Configuration Errors
Unfortunately, human error rests at the core of misconfigurations. Yet, although they are easy to exploit, there are many proactive steps organizations can take to prevent the frequency of these mistakes.
There’s a common misconception that cloud providers handle security. When adopting cloud services, it is critical to un- derstand what IT security is being provided by the cloud provider, and what security is the responsibility of the organization. For example, the secure configuration of the ser- vices and applications being used in addition to vendor-provided services will likely be the
responsibility of users, not the vendor. Be sure to understand the vendor’s shared se- curity responsibility model. Ultimately, each party is accountable for different aspects of IT security and both parties must work to- gether to achieve complete coverage.
One of the most important pillars to preventing these kinds of incidents is a strong secure configuration management process. By setting standard configura- tions for systems based on industry best practices and continuously monitoring for changes from that baseline, organizations can quickly identify a misconfiguration that could be exploited—before a breach occurs. In fact, The Center for Internet Security (CIS) has created the CIS Amazon Web Ser- vices Foundations benchmark policy, which provides guidance on best practice security configurationoptionswithintheAWSman- agement console.
A secure configuration management (SCM) solution can help organizations ac- complish this efficiently and effectively, especially in such complex environments. Some of the highest profile breaches could have been prevented from taking this foun- dational step.
Experts continue to stress that the lat- est security tools can be useless, if the basic essentials of security are not met. In addi- tion to secure configuration, organizations should build out a stronger foundation by checking and fixing vulnerabilities (lack of patching known vulnerabilities is another simple cause for high-profile incidents), man- aging administrative privileges carefully, and paying attention to audit logs.
Don’t Let a Simple Mistake Lead to Big Consequences
While environments continue to evolve, the foundational tenets of security remain the same: maintain visibility of your attack surface, minimize your attack surface, and continue to monitor it. The critical security controls applied in your traditional envi- ronments should be applied just the same in cloud environments. Growing complex- ity is not an excuse to brush security best- practices aside.
There is security technology available today to meet the modernization of hybrid enterprises—technology that automates the assessment, monitoring, and management of configurations across all systems to en- sure ongoing security and
compliance.
Don’t let something as simple as a misconfiguration leave your data exposed.
David Meltzer is chief tech- nology officer at Tripwire.
WWW.SECURITYTODAY.COM
Check Out Our Latest Webinars!
Register to attend these free events live or view them and archived webinars on demand after the live date!
Click on the Webinars tab at
Sponsors include Hanwha Techwin America
Archived free webinars include:
WARNING: 3 Things That Have Changed the Security Industry Forever
Sponsored by ESX, Hanwha Techwin America, Metrasens
Instructional Overview of Security Today Academy — Online Courses on Security Technology
Sponsored by Security Today
Planning for the Future of Access Control
Sponsored by Security Today
Lessons Learned from Penn State
Sponsored by Hanwha Techwin America
Plus More!
Schedule your webinar today with Kevin O’Grady kogrady@1105media.com
securitytoday.com
Active Shooter Response
June 13, 2018, 2:00 PM ET
1.5988 in
Go to sp.hotims.com and enter 24 for product information.