Updated: Jul 11
Since 37% of breaches are traced back to a misconfiguration, ensuring you’ve properly configured and can constantly monitor your network is essential to providing maximum security. We’ve seen way too many news stories of companies breached due to configuration issues: SolarWinds and the recent PrintSpool discovery are just the first couple nightmares that come to mind when I think about how misconfigurations cause vulnerabilities which lead to breaches.
So how does this keep happening to companies, who are actually investing in tools and security operations? It’s all about endpoints. Hackers target endpoints. Whether they are connected to your network or not, you must protect endpoints from malicious intent. PCs (both office and home) are the primary target entry point for hackers. Once they gain access through an entry point, cyber criminals move around a network and organization searching for a major vulnerability. This is where misconfigurations come in to play. Hackers search for databases and active directories, both on-prem or in the cloud. Active Directories are loaded with default settings known to be serious vulnerabilities, so this is where hackers plant their attack and paralyze an organization.
According to our partner, Gytpol, here are the leading misconfigurations to look out for:
1. Multiple EDRs installed on the same computer
2. Active Directory settings
Excessive Administrator Accounts In this case “more” is not a good thing. When it comes to your AD system, if you have an overly long list of Active Directory users with administrative rights and excessive privileges, it’s likely that there is the potential for privilege abuse, which is one of the leading causes of lateral movement for hackers.
Delegating Tasks in Active Directory Delegating tasks to users who have no real need to be in a power position like an administrator happens, but it’s a bad way to do business. Delegating tasks to non-administrators, without proper oversight is a massive risk. One misstep or account failure and the entirety of an enterprise might be compromised. Don’t allow your tasks to be delegated, especially in an unmanaged way.
Bad Password Management Passwords are the main avenue of compromise in roughly ¾ of attacks on AD systems. One weak password, or already compromised account that is bought on an underground site is the only thing a hacker needs to become an administrator on your network. That single, simple thing can literally invalidate your entire security strategy and technology portfolio. Don’t fall down the password rabbit hole. Fix them and always mandate MFA.
Inactive Accounts Inactive accounts often seem to be harmless, but inactive accounts usually hold administrative privileges and will be used as a platform for a hacker to gain access to your infrastructure. Inactive accounts should be removed entirely and audited regularly to make sure you are actively mitigating those risks.
Guest Access Be careful that your Guest and Anonymous accounts are not granted the same open access as regularly managed and authenticated users.
Lack of Visibility on Domain Controllers Not seeing or knowing who is logging into your Domain Controller makes it almost impossible to protect administrative accounts and privileged access. Ensure that you have a continuous and proactive way of auditing and controlling those logins, so that you can quickly react to anomalies.
Not Knowing Membership of Security Groups Members of security groups like Domain, Enterprise and Schema Administrators have the highest levels of privileges, they are the ultimate power player in your network to be sure. If one of those users has bad credentials, the damage to your organization’s security could be catastrophic. To help minimize these risks, you should only grant membership to those accounts that need it, and withdraw group memberships the minute they are no longer required. Do not leave those accesses or accounts live any longer than is absolutely necessary.
Not Implementing Zero Trust Policies One of the main principles of a good Zero Trust policy dictates that users should only log on with an account that has the absolute minimum permissions required for their job, that’s it. You should be consistently tracking changes to privileges to ensure that the right users have the right levels of access to the right data, and nothing more is present. Doing this reduces your risk profile, increases visibility and accuracy of account management, and will help you better respond to anomalies.
In addition to our partner’s recommendations, we also recommend:
Disabling unused services Unused services on a networked device provides a larger surface area for attack. The more protocols and services that are exposed, the more opportunities attackers have to identify and exploit a vulnerability. By disabling unused and unneeded services, you can reduce the attack surface of a device.
Disabling insecure services Some software services enabled by default on a networked device are inherently insecure. One example includes Telnet, which allows remote shell access to a device by passing credentials in cleartext. Always opt to use a secured service and disable use of the insecure service. In this example, the more secure SSH service should be used for remote shell access as SSH encrypts the session.
Changing default passwords Many network appliances and 3rd party server software install with a publicly documented default password. An example of this could be a database engine or a purpose-built network appliance. Attackers will try to exploit unchanged default passwords first as it is the path of least resistance. By ensuring default passwords are changed, you can avoid an easy compromise of privileged accounts.
Documenting and adopting a configuration standard for device types Consistent configuration provides consistent security outcomes. By defining, documenting, and adhering to a device configuration standard, you can ensure that devices within your environment have a consistent level of security protections applied to them. Many vendors as well as non-profit consortiums provide secure configuration frameworks based on best practices and security testing.
Misconfigurations are creating vulnerability nightmares for organizations across the globe. Whether an operator set the wrong configuration, didn’t know how to configure properly or didn’t’ have the skills or bandwidth to focus on proper configuration, it results in a vulnerability. And whether you see those vulnerabilities or not, hackers are lurking, watching, and waiting to find a vulnerability/entry point.
Knowing what tools are right to protect your environment, architecting them properly with intelligent overlap and no gaps and ensuring proper configuration will provide you with strong defenses. Good security is not good enough. Employ a defense-in-depth strategy so you don’t become the next headline.
Want some unbiased, free expertise? Sign up for an “Office Hour” with one of our CISOs.
Pillar Technology Partners is on the cutting edge of cybersecurity developments. We’re committed to helping security leaders simplify, understand, assess, remediate, and operate their information security program with a unique focus on data protection. Our CISOs, Security Engineering Teams and Incident Response Teams understand how to help you simplify cyber security. To learn more contact firstname.lastname@example.org.