Thought leadership. threat analysis, news and alerts.
Control Access Before Bad Actors Do
Leaving your door wide open invites bad actors. Like in real life, leaving your organization’s devices, networks or cloud accounts wide open similarly invites malicious actors. Controlling access to these devices, networks or cloud accounts controls the threat both from insiders and outsiders.
Misconfiguration, in general, is the configuration of digital system’s settings in such a way that the system behaves contrary to what it’s expected to do. Repercussions resulting in misconfigurations include exposure of sensitive data or could allow attackers to gain privileged access – the ability to perform an action with security consequences.
Misconfiguration happens because these digital systems themselves allow the sharing of data to the public or they allow privileged access. For instance, current cloud service providers allow clients to either configure or set stored data in the cloud to be shared to the public. Server operating systems, meanwhile, can be configured to allow certain individuals to have privileged access. Misconfiguration, therefore, is an internal problem that originates from within the IT infrastructure of any organization.
In recent months, security researchers have discovered troves of sensitive data stored in the cloud easily accessible to the general public. Researchers at UpGuardrecently discovered that two partners of Facebook, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool” misconfigured their cloud accounts, exposing a total of hundreds of millions of Facebook customer data. According to UpGuard, the exposed customer data were each stored in Cultura Colectiva and At the Pool’s respective Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files.
“Amazon customers own and fully control their data,” Amazon said in response to the exposure of millions of Facebook customer data. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”
In February 2018, researchers at RedLockdiscovered that malicious actors accessed Tesla’s Kubernetes – a tool for managing a network of virtual machines – console as this wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. As a result of the data exposure, the malicious actors performed cryptocurrency mining from within one of Tesla’s Kubernetes pods.
According to Gartner, through 2020, 99% of firewall breaches will be caused, not by flaws but by simple firewall misconfigurations. A firewall is a network security device that monitors outgoing and incoming network traffic and decides whether to block or allow certain traffic based on a defined set of security rules. Firewalls are often configured with an open policy, that is, allowing from any source to any destination as system administrators at the outset don’t know what they want to block or allow, and never get around changing this configuration, leaving the network exposed to attackers.
A case in point in the value of effective firewall configuration is the 2017 case in which a malware infiltrated the North Carolina transmission plant’s computer networkvia email. The malware spread through the plant’s network, stopping production as users were locked out from their computers. According to the plant’s information technology manager, while data on some computers were lost, the malware was blocked by a firewall when it tried to exit the plant’s network.
Another ransomware incident in 2017, this time in the Northern Lincolnshire and Goole NHS Foundation Trustwas attributed to the “misconfiguration of the firewall”. The ransomware took a Northern Lincolnshire and Goole NHS Foundation Trust hospital offline for four days and resulted in the cancellation of 2,800 patient appointments.
Best Practices & Prevention
Here are some cybersecurity measures in order to prevent or mitigate the effects of misconfigurations:
Apply the Principle of “Least Privilege”
Least privilege is the concept and practice of restricting access to accounts and computing processes only to certain individuals based on their job necessities. Restricting a certain group in your organization from installing and running software application can prevent a malware from infecting your organization's network, for instance, in case this malware is unwittingly downloaded by one of your organization’s staff onto his or her computer workstation.
The Microsoft Vulnerabilities Report 2019, an analysis of Microsoft security updates in 2018 conducted by BeyondTrust, showed that of the 189 critical vulnerabilities discovered last year, 154 or 81% of the vulnerabilities could have been prevented if administrator rights had been removed.
Administrator rights, also known as admin rights, means that a user has privileges to perform virtually all functions within an operating system on a computer. These privileges include the installation of software and hardware, installation of updates and configuring or changing system settings.
Regularly Update Firewall Configuration
Regularly update your organization’s firewall to block data from certain locations, applications or ports, while at the same time allowing certain relevant and necessary data through.
Monitor for Suspicious User Behavior
Another way to prevent or mitigate the effects of misconfiguration is by monitoring suspicious user behavior. In monitoring suspicious user behavior, your organization needs to have a baseline normal user data. From this baseline data, suspicious behavior can then be detected, such as geolocation-based anomalies, time-based anomalies and event-based anomalies.
The best way to evaluate your current access controls is to perform an independent IT audit. Most IT and business executives are surprised by the results and are able to take an immediate action moving toward better security controls.
Reduce the IT risks today by speaking with one of our cybersecurity experts. Connect with ustoday.
Steve E. Driz, I.S.P., ITCP