Have you ever heard of the 80/20 rule? The 80/20 rule, also known as the Pareto principle, was named after the Italian economist Vilfredo Pareto. It states that 80% of consequences come from 20% of causes. Though only a theory, the 80/20 rule has been empirically observed in numerous facets of business.
Cybersecurity is no exception to the 80/20 rule. Let’s assume that 80% of cyberattacks originate from 20% of negligent security practices. Or conversely, 20% of prudent security practices can prevent 80% of cyberattacks. In both ways, it can be inferred that basic security practices can protect your organization from advanced threats. To illustrate this, let’s take a look at three massive and damaging attacks that evolved as a result of simple misconfigurations.
Capital One data leak incident
In 2019, credit card details of 100 million Capital One Financial Corp. customers were leaked online. The root cause for the data breach was a misconfigured firewall in Capital One’s infrastructure, which allowed a former employee to access the AWS S3 cloud storage server data and post it on GitHub.
Microsoft Power Apps data leak incident
During the COVID-19 pandemic, around 38 million records from various web applications that used Microsoft Power Apps were exposed to the public. The cause for this massive data breach was a misconfiguration in the default software setting of the Microsoft Power Apps platform that required users to manually enable a privacy setting to secure files. Users who did not enable the privacy setting had their files made publicly accessible.
Mirai attack
Since 2016, Mirai malware, known for its self-propagating botnet, has fed on common misconfigurations to exploit IoT devices. Mirai malware conducts a brute-force attack on vulnerable IoT devices using default credentials to gain unauthorized access to the network and build its botnet.
Default credentials are a common misconfiguration, yet they pose a greater threat to cybersecurity than any other type of misconfiguration. If you are a SOC manager, here are the top 10 misconfigurations that you should keep track of.
Top 10 cybersecurity misconfigurations to look out for
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA) in 2023 on the most common cybersecurity misconfigurations in large organizations. Consider these as the 20% of misconfigurations that, if not addressed, could cause 80% of cyberattacks in your network.
The following are the misconfigurations identified and published by the NSA and CISA:
1. Default configurations of software and applications
Networking devices and software applications come with factory-set default credentials. It is important to change such default credentials while installing these devices or applications. When the default usernames and passwords remain unchanged, these devices and applications can open backdoors for threat actors to access your network.
2. Improper separation of user/administrator privilege
It is important that you segregate your cluster of admin and user accounts and assess the purpose of an account before granting account privileges. Generally, multiple roles are assigned to a single admin account or service account to permit domain control. But such excessive privileges to a single account can create a ruckus in the network when these accounts are compromised.
3. Insufficient internal network monitoring
Effective network monitoring is achievable only through proper network configuration. Most organizations end up configuring only their hosts, enabling host-based logging for host-based monitoring. Using this method allows you to detect the compromised hosts in the network but not the source of compromise. For thorough internal network monitoring, you should securely configure all devices and applications, including routers, switches, IoT devices, and endpoint security solutions like firewalls and anti-malware solutions that monitor inbound and outbound connections.
4. Lack of network segmentation
A one-size-fits-all approach doesn’t fit an extensive network. Privileges and permissions are not the same throughout a network, so large networks are divided into smaller subnetworks. By dividing your larger network into manageable units, you can easily set up security boundaries within the network and configure unique security controls to each subnetwork.
Without network segmentation, the network exists as a single entity through which attackers can move laterally and escalate attacks, like supply chain attacks and ransomware attacks.
5. Poor patch management
Outdated software and firmware are hotspots for attackers to gain access to your networks. Adding to this, software and firmware are transient in nature and may turn incompatible with your environment over time. Such incompatibilities are like needles in a haystack that can come back to prick you if identified first by attackers.
For instance, Log4Shell, a vulnerability in Apache’s Log4j logging library, was subject to a zero-day exploitation in 2021. The zero-day vulnerability enabled remote code executions by attackers, leading to crypto mining, ransomware attacks, and DDoS attacks on the victim systems.
6. Bypass of system access controls
Storing user credentials enables adversaries to overthrow actual system access controls. Because attackers are now capable of breaking through your authentication systems without actual passwords or security codes. Attacks like brute-force and password spray attacks are carried out using stolen credentials, providing initial access to adversaries to carry out other sophisticated cyberattacks.
7. Weak or misconfigured multi-factor authentication (MFA) methods
The conventional password login process is now being replaced by MFA methods like smart cards and smart tokens. As your organization switches to new methods of authentication, you may forget about adhering to previous password policies. But the hashes for passwords no longer in use still exist and can still be used by threat actors to enter your network.
8. Insufficient access control lists (ACLs) on network shares and services
A network ACL encompasses all permissions associated with a network resource. When you do not configure the ACLs properly for shared network resources, unauthorized personnel might gain access to sensitive data shares, repositories, and administrative data on shared drives.
Threat actors can access your sensitive data shares by using commands, open-source tools, or custom malware. These data shares might contain personally identifiable information (PII); service account and web application credentials; service tickets; and other information relating to your network like network topology, vulnerability scan reports, and threat modelling data. All this information can be exfiltrated to execute a ransomware attack, DDoS attack, or social engineering attack. It is vital that you closely inspect all permissions associated with your network resources.
9. Poor credential hygiene
Poor credential hygiene refers to the use of poor passwords that can be easily cracked, improperly configured MFA, and unprotected storage of passwords. A credential compromise takes place when a clear-text password or a password hash is stolen by adversaries. It is vital to implement eminent password policies that comply with the NIST guidelines by properly configuring MFA, like phishing-resistant MFA, to secure the entry points to your network.
10. Unrestricted code execution
It is important to keep track of all executable files in your network. Attackers are never tired of luring users to click phishing emails to auto-execute malicious scripts and codes in the background. According to the joint advisory from the CISA and NSA, adversaries execute unverified codes in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) to exploit a network after initial access.
You can prevent malicious code executions by enabling system settings that prevent downloads from unverified sources and also restrict program executions by analyzing digital signatures, certificates, and key attributes.
Attackers are continuously looking for ways to exploit the 20% of misconfigurations in your network. To avoid employees taking the bait, your SOC team needs to evaluate and adjust your network to ensure it’s free from the above misconfigurations. Investing in a SIEM solution like ManageEngine Log360 is your first step to defend against the ramifications of cybersecurity misconfigurations.
Here’s how you can secure your network using Log360:
- Get complete visibility into your network with real-time logging and predefined audit reports.
- Monitor privileged user activities and lateral movement with predefined correlation rules.
- Defend against potential threats with real-time alerts.
- Track anomalous user activities with user and entity behavior analytics.
- Prevent potential attacks with automated incident response.
Would you like to know more? Then sign up for a personalized demo today.
First published in Top 10 cybersecurity misconfigurations and how to avoid them.