Have you ever heard of the 80/20 rule? The 80/20 rule, also known as the Pareto Principle, was put forth by the Italian economist, Vilfredo Pareto. It states that 80% of the consequences come from 20% of the causes, be it positive or negative. Though it isn't a proven law, the Pareto rule has been empirically observed in numerous facets of business.

Cybersecurity is no exception to the 80/20 rule. By the idea of 80/20, let's assume that 80% of cyberattacks originate from 20% of negligent security practices. Or conversely, 20% of prudent security practices can prevent 80% of cyberattacks. In both ways, it can be inferred that basic security practices can protect you from advanced threats. To yield to this ideation, let's take a look at three massive and deleterious attacks that evolved as a result of simple misconfigurations.

  • Microsoft Power Apps data leak incident
  • During the COVID-19 pandemic, around 38 million records from various web applications that used Microsoft Power Apps were exposed to the public. The cause for this massive data breach was a misconfiguration in the default software setting of the Microsoft Power Apps platform that required users to manually enable a privacy setting to secure files. Users who did not enable the privacy setting had their files made publicly accessible.

  • Capital One data leak incident
  • In 2019, credit card details of 100 million Capital One Financial Corp. customers were leaked online. The leaked data was originally stored on Amazon Web Services Inc.’s S3 cloud storage. It was alleged that a former AWS employee had illegally accessed the AWS server data and posted them on GitHub. But the root cause for the data breach was a misconfigured firewall in Capital One's infrastructure, which allowed the threat actor to access the AWS server.

  • Mirai attack
  • Mirai malware, known for its self-propagating botnet, also feeds on common misconfigurations to exploit IoT devices. Mirai brute forces vulnerable IoT devices using default credentials to build its botnet. Though default credentials are a common misconfiguration, they pose a greater threat to cybersecurity than any other type of misconfiguration.

    Misconfigurations are major sources of the majority of cyberthreats. If you are a SOC manager, here are the top 10 misconfigurations that every security manager should keep track of.

Top 10 cybersecurity misconfigurations to look out for

In October 2023, "the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA) which provides the most common cybersecurity misconfigurations in large organizations."

The following are the misconfigurations identified and published by the NSA and CISA in its joint CSA:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution
  • 1.Default configurations of software and applications

    Networking devices and software applications come with factory-set default credentials. It is important to change such default credentials while installing these devices or applications. When the default usernames and passwords remain unchanged, these devices and applications can open backdoors for threat actors to access your network.

    Similarly, some of the default settings in network services also invite potential threats like:

    • In Active Directory Certificate Services (AD CS), granting web enrollment permissions enables threat actors to generate fraudulent certificates. In the same way, AD CS templates, when misconfigured, grant low-privileged users enrollment rights to generate unauthorized code signing requests (CSRs).
    • The Server Message Block (SMB) service, while running without enforcing SMB signing for authentication, can lead to manipulator-in-the-middle (MITM) attacks like NTLM relay.
    • As mentioned in the joint CSA, other legacy protocols and services like Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), when enabled, can facilitate attackers to compromise the entire Windows environment by spoofing, poisoning, and relay attacks.
  • 2.Improper separation of user/administrator privilege

    It is important that you segregate your cluster of admin and user accounts and assess the purpose of an account before granting account privileges. Generally, multiple roles are assigned to a single admin account or service account to permit domain control. But such excessive privileges to a single account can create a ruckus in the network when such accounts are compromised.

    Highly permissive privileges help attackers move laterally. and access sensitive information when they enter your network. Keeping track of the activities of such privileged accounts can help you prevent compromises. A SIEM solution with user and entity behavior analytics (UEBA ) can help you monitor privileged user activities as well as manage the overwhelming workload on your SOC team effectively.

  • 3.Insufficient internal network monitoring

    Effective network monitoring is achievable only through proper network configuration. Most organizations end up configuring only their hosts, enabling host-based logging for host-based monitoring. This allows you to detect the compromised hosts in the network but not the source of compromise. For this, you should securely configure all devices and applications including routers, switches, IoT devices and endpoint security solutions like firewalls and anti-malware solutions that monitor inbound and outbound connections.

    Once configured, you can easily enable real-time logging of these devices through which you can effectively monitor the security posture of your network in real time. A SIEM solution with predefined network audit reports, alert generation, and log forensic capabilities enables your SOC to not only attain sufficient internal network visibility but also probe into the root cause of any compromise.

  • 4.Lack of network segmentation

    A one-size-fits-all approach doesn't fit an extensive network. Privileges and permissions are not the same throughout a network, and so large networks are divided into smaller sub networks. By dividing your larger network into smaller manageable units, you can easily set up security boundaries within the network and configure unique security controls to each sub network. Network segmentation is crucial because without these segments, the network exists as single entity through which attackers can move laterally and execute attacks on, like supply chain attacks and ransomware attacks.

  • 5.Poor patch management

    Outdated software and firmware are hotspots for attackers to gain access to your networks. Adding to this, software and firmware are transient in nature and may turn incompatible with your environment over time. Such incompatibilities are like needles in a haystack that can prick you hard if identified first by attackers.

    For instance, Log4Shell, a vulnerability in Apache's Log4j logging library was subject to zero-day exploitation in 2021. The zero-day. vulnerability enabled remote code executions by attackers leading to crypto mining, ransomware attacks, and DDoS attacks on the victim systems. So it is important that your SOC stays proactive in identifying missing patches in your environment and updating your systems to upgrade your network security.

  • 6.Bypass of system access controls

    Storing user credentials enables adversaries to overthrow actual system access controls. Because attackers are now capable of breaking through your authentication systems without actual passwords or security codes. Attacks like brute-force and password spray attacks are carried out using stolen credentials and provide initial access to adversaries to carry out other sophisticated cyberattacks.

    Identity attacks like pass the hash explain the consequences of storing passwords even in the form of hashes. In a pass-the-hash attack, attackers steal the password hashes of users to pose as legitimate users and move laterally across the network. It is mandatory to enable strong password protection policies and multi-factor authentication (MFA) in your network to prevent cybercriminals from compromising your network.

  • 7.Weak or misconfigured multifactor authentication (MFA) methods

    The conventional password login process is now being replaced by MFA methods like smart cards and smart tokens. As we switch to new methods of authentication, we tend to forget about adhering to previous password policies. But the hashes for passwords no longer in use still exist and can still be compromised by threat actors to enter your network.

    Enabling MFA alone does not safeguard your network. It is crucial that you configure the various MFA methods correctly to stay protected against attacks like phishing, push bombing, and SIM swapping.

    • Phishing is the most common method of social engineering used by adversaries to gain MFA information.
    • In push bombing, the attacker tries to log in to a user's account using stolen credentials, which in turn prompts the user to authenticate via MFA. By attempting to log in continuously, attackers bombard the user with multiple MFA requests and at some point, the user might be tricked to approving one.
    • In a SIM swapping attack, the hacker posing as a legitimate service provider might lure the user with fake assurances and compromise their phone numbers to access their MFA codes to access their account.
  • 8.Insufficient access control lists (ACLs) on network shares and services

    A network access control list encompasses all permissions associated with a network resource. When you do not configure the ACLs properly for shared network resources, unauthorized personnel might gain access to sensitive data shares, repositories, and administrative data on shared drives.

    Threat actors can access your sensitive data shares by using commands, open source tools, or custom malware. These data shares might contain personally identifiable information (PII); service account and web application credentials; service tickets; and other information relating to your network like network topology, vulnerability scan reports, and threat modelling data. All this information can be exfiltrated to execute a ransomware attack, DDoS attack, or social engineering attack. It is vital that you closely inspect all permissions associated with your network resources.

  • 9.Poor credential hygiene

    Poor credential hygiene refers to the use of poor passwords that can be easily cracked, improperly configured MFA, and unprotected storage of clear-text passwords. A credential compromise takes place when a clear-text password or a password hash is stolen by adversaries. It is vital to implement eminent password policies that comply with the National Institute of Standards and Technologies (NIST ) guidelines by properly configuring MFA, like phishing-resistant MFA, to secure the entry points to your network.

  • 10.Unrestricted code execution

    It is important to keep track of all executable files in your network. Attackers are never tired of luring users to click on phishing emails to auto-execute malicious scripts and codes in the background. According to the joint advisory from the CISA and NSA, adversaries execute unverified codes in the form of executables, dynamic link libraries (DLLs), HTML applications, and macros (scripts used in office automation documents) to exploit a network after initial access. You can prevent such code executions by enabling system settings that prevent downloads from unverified sources and also restrict program executions by analyzing digital signatures, certificates and key attributes.

Attackers are continuously casting lines in your network, looking to catch any misconfigurations. To avoid letting employees take the bait, your SOC team needs to evaluate and adjust your network to ensure it's free from the above misconfigurations, ensuring your network is secure against the ramifications of misconfigurations. Investing in a SIEM solution like ManageEngine Log360 is your first step to defend against the consequences of such misconfigurations.

Here is a glimpse of how you can secure your network using Log360:

  • Avail complete visibility over your network with real-time logging and predefined audit reports.
  • Monitor privileged user activities and lateral movement with predefined correlation rules.
  • Defend against potential threats with real-time alert generation.
  • Track anomalous user activities with user and entity behavior analytics.
  • Prevent potential attacks with an automated incident response mechanism.

Would you like to view the bigger picture? Then sign up for a personalized demo now.

×
  • Please enter a business email id
     
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
  •  
  •  
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks

     
 

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.