One of the most common factors that can lead to cybersecurity incidents is a security misconfiguration vulnerability in software or application settings. The default settings that come with the implementation of these tools and solutions are often not configured securely, and many organizations do not invest the time and resources into ensuring that they are.
Several regulatory organizations have established standards for avoiding security misconfigurations in order to prevent misconfiguration attacks and accidental security breaches, maintain compliance with regulations, and strengthen the overall cybersecurity posture of any business. Cyber Security Hub recorded a webinar with Fortra’s Tyler Reguly about the top security misconfigurations to watch out for.
Security Misconfiguration: Overview
A security misconfiguration is a critical vulnerability that exposes systems to cyber threats by leaving default settings, weak access controls, or unpatched software in place. Attackers exploit these misconfigurations to gain unauthorized access, steal sensitive data, or disrupt operations. Regular security audits, proper configuration management, and timely patching are essential to prevent breaches.
Misconfigurations can occur in both on-premises and cloud assets. Listen to the Tripwire podcast episode "Cloud Misconfigurations: Simple Mistakes, Big Consequences" to learn more about managing misconfigurations in the cloud.
The Impact of Security Misconfigurations
Security misconfigurations pose a significant risk to organizations, creating opportunities for data breaches and cyberattacks. According to Gartner, 99 percent of firewall breaches through 2023 were due to misconfigurations rather than firewall failures themselves.
Misconfigurations occur across the digital infrastructure, from cloud settings to application servers. For example, a staggering 87 percent of container images contain high or critical vulnerabilities, many of which stem from misconfigurations. These lapses give attackers easy access to sensitive data, enable lateral movement within networks, and often go undetected until it’s too late. The impact extends beyond technical consequences, affecting an organization’s reputation, financial standing, and compliance posture.
Industry Standards and Organizations
Some of the industry frameworks and regulations that have guidance around misconfigurations include:
- The Center for Internet Security (CIS) is a community-driven nonprofit organization, known mainly for the CIS Controls and CIS Benchmarks. There are 18 Critical Security Controls and 639 published benchmarks, as well as other resources provided by CIS, including hardened operating system images, CIS RAM (Risk Assessment Method), and Information Sharing and Analysis Centers.
- MITRE, another nonprofit, was established in an effort to advance national security and serve public interest. MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a knowledge base created to make awareness of cybercriminal activity the threat landscape globally accessible, used as a foundation for developing threat models and methodologies.
- The Defense Information Systems Agency (DISA), the IT provider for the Department of Defense, has established Security Technical Implementation Guides (DISA STIGs) developed by the DISA Risk Management Executive in order to give the DoD operationally implementable secure configuration guidance.
- The National Institute of Standards and Technology (NIST) has SP 800-53, a special publication breaking down security and privacy controls for information systems and organizations, sorted into 20 families. NIST developed this publication to fulfill certain new responsibilities mandated for the institute by the Federal Information Security Modernization Act (FISMA) in an effort to establish and maintain compliance.
Top Cybersecurity Misconfigurations and Attacks: Examples
In an effort to help organizations and developers understand the most prevalent security misconfigurations to watch out for, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) red and blue teams have put together a list of the top ten cybersecurity misconfigurations. These misconfigurations have the potential to cause severe damage to businesses and even national security, so the list has been developed as “a plea for network defenders and software manufacturers to fix common problems.”
Default configurations of software and applications
Relying on default settings often means leaving weak security controls in place, as default configurations cater toward ease of use rather than security. These configurations are widely known and easily exploited by attackers looking for vulnerabilities in commonly used software.
Improper separation of user/administrator privilege
Granting users administrative access or combining user roles increases the risk of accidental or malicious changes to critical systems. Restricting privileges to only what is necessary helps minimize the potential damage from compromised accounts.
Insufficient internal network monitoring
Without dilligent monitoring, threats inside the network can move undetected for extended periods. This oversight can lead to delayed incident response and greater impact from internal or lateral attacks.
Lack of network segmentation
An unsegmented network architecture allows attackers to freely access sensitive systems once inside the network. Proper segmentation adds layers of defense and limits movement across the environment.
Poor patch management
Failing to apply security patches in a timely manner leaves known vulnerabilities open to exploitation. Attackers often target outdated systems because they're easier to breach and typically less protected.
Bypass of system access controls
Disabling or weakening access controls for convenience can leave critical systems exposed. These shortcuts reduce security oversight and make it easier for unauthorized users to gain entry.
Weak or misconfigured multifactor authentication (MFA) methods
Improper MFA settings, like using easily spoofed factors or partial implementation, can undermine its effectiveness. Strong MFA needs to be configured correctly to provide effective protection against unauthorized access.
Insufficient access control lists (ACLs) on network shares and services
Overly permissive ACLs give users more control than necessary, increasing the chance of data leaks or accidental changes. Strict, role-based permissions help secure sensitive files and services.
Poor credential hygiene
Weak, reused, or predictable passwords make it easy for attackers to compromise accounts using tactics like credential stuffing. Enforcing strong password policies and regular updates is essential for basic cybersecurity hygiene.
Unrestricted code execution
Allowing unknown or unverified code to run without proper scanning invites malware and unauthorized software into the environment. Execution controls help prevent malicious payloads from compromising systems.
Download the guide 10 Common Security Misconfigurations and How to Fix Them to learn more.
Prevention Strategies for Security Misconfigurations
Preventing security misconfigurations starts with a proactive, consistent approach to system setup and maintenance. By standardizing and automating best practices, organizations can reduce the risk of human error and strengthen their overall security posture. The bedrock of configuration security is apply the security control security configuration management (SCM). Automated solutions can enforce configuration security across your environment to ensure no misconfiguration goes undetected.
Implementing a repeatable hardening process
Establishing a standardized process for configuration security, such as implementing an SCM solution, ensures consistent protection across all environments.
Removing unnecessary features and services
Disabling unused or insecure components reduces the attack surface and minimizes potential entry points for bad actors.
Regularly reviewing and updating configurations
Routinely scanning for misconfigurations helps identify outdated or insecure settings before they can be exploited.
Ensuring secure settings in application servers and frameworks
Configuring application servers and frameworks with security in mind protects against misconfiguration-related breaches.
Automating configuration verification processes
Automated SCM tools can detect and remediate misconfigurations faster than manual methods, improving response time and accuracy.
Software to Prevent Security Misconfigurations
There are a number of ways that organizations can prepare for and prevent security misconfigurations and the risks that arise from them. As is often the case, knowledge is foundational to security and defense. Organizations must understand the problems at hand, the best methods for preventing those problems, and the most efficient way to establish secure practices using the resources available.
First, it is vital to be aware of the various benchmarks, standards, and policies developed by industry experts and regulatory entities in order to aid in secure configuration. There are many resources for learning this information in different formats. Organizations are encouraged to read the official documentation, enroll in training courses, and attend vendor webinars.
It is also important to establish an understanding of the company resources at your disposal. This comes down to people, money, and tools. Each organization has its own expertise, budget, and arsenal of tools, and finding a balance between these resources is an essential part of ensuring security. Organizations with fewer people, for example, may have to use tools that are simpler, as complex tools require more management.
Security Misconfigurations: Final Thoughts
Security misconfigurations, such as server security misconfigurations, are some of the most common vulnerabilities that bad actors take advantage of in order to infiltrate organizations and launch attacks. These misconfigurations arise largely from a lack of understanding of the risks and dangers associated with improperly configured security settings. Security misconfigurations can lead to malware and ransomware, data breaches, and a wide range of other major security incidents.
Fortra’s Security Configuration Management (SCM) solution, Tripwire Enterprise, accounts for the most common problems and uses a process of asset discovery, baselining, change management, policy enforcement, and reporting and remediation in order to minimize security misconfigurations, prevent security misconfiguration attacks, and maintain compliance.
Shrink Your Attack Surface and Stay in Compliance
Security configuration management (SCM) is the process of managing the configurations of your information system assets and software, including monitoring for misconfigurations to help prevent cyberattacks and enforce compliance regulations.
Learn more about Tripwire's configuration management capabilities here:
