According to Verizon’s Data breach investigation report 2023, “74% of all breaches include the human element, with people being involved either via Error, Privilege Misuse, Use of stolen credentials or Social Engineering.” Verizon categorises error as “anything done (or left undone) incorrectly, or inadvertently.”
Breaches due to misconfiguration accounted for 21% of error related breaches within Verizon’s dataset. The information they analysed showed that most errors that lead to breaches were committed by developers (over 40%) and system administrators. This is unsurprising as they are the ones with the responsibility for configuring environments.
According to Gartner cloud security research, cloud misconfiguration is a significant cause of cloud security breaches, with 36% of companies suffering a serious cloud security leak. Furthermore, 99% of all firewall breaches are caused by misconfigurations.
Error is a wide spanning topic, and for the purposes of this review we focus on misconfiguration as a specific type of error.
Security misconfiguration refers to security settings that are:
- poorly put in place (implemented);
- not setup at all during the configuration process; or
- are not maintained.
Misconfiguration also happens when systems are put in to use (deployed) with default settings, leaving them open to attacks.
Security controls that are not correctly configured and maintained put at risk your systems, information, and ultimately people. Misconfiguration can happen at any layer, through any application, through any platform, and across your network or in the cloud. Misconfigurations may seem completely avoidable, but to date we see them as one of the most significant risks.
A number of configuration errors happen because system administrators fail to change the default (“out of the box”) settings. But typical misconfiguration vulnerabilities occur with any of the following inadequate security measures:
- Default passwords and certificates.
- Outdated (deprecated) protocols, ineffective and insufficient encryption.
- Application programming interface (API) security misconfiguration, which allows unrestricted access to endpoints and leaves files unprotected.
- Unused pages and unnecessary services.
- Open or dormant ports or other access points.
- Unrestricted permissions or inherited excessive permissions.
- Incorrectly implemented IT changes.
Often when software is provided in the form of software as a service (SaaS), the cloud provider takes on most of the security responsibilities. But with any type of cloud service (SaaS/PaaS/IaaS), cloud security is a shared responsibility.
A high number of cloud security incidents can be traced back to preventable misconfigurations made by end-users. Cloud services are any services that are made available by the internet. You should configure cloud services correctly and share the responsibility between you and your cloud provider.
Errors may be from misconfiguration, human error or simply a lack of checks and balances leading to insufficient controls that can leave systems vulnerable. You should never rely on one person or one control for security. Always take a layered approach, informed by the nature of any processing and an assessment of risk.
Further reading
- Shared responsibility in the cloud - Microsoft
- Shared responsibility model - Amazon Web Services (AWS)
- Shared responsibilities - Google Cloud | Architecture Framework
- Top ten cybersecurity misconfigurations – NSA and CISA
- Cloud security principles - NCSC
Configuration errors create security vulnerabilities that criminals can use to gain unauthorised access to systems, services, or personal information.
Misconfigurations, including unused open administration ports, can allow attackers to access servers remotely and disable the security controls you already have in place (eg firewalls and VPNs).
Example: Development error leads to a reprimand
Facts
A health service allowed integration of untested development code for a future liver scheme into its live environment. This integration error led to a number of prospective transplant patients being excluded from the service's liver-matching run.
What could have been done differently?
- Implement appropriate branch or version control so developers could not unknowingly introduce untested code into a live environment.
- Implement appropriate peer reviewing of developers' work to reduce the likelihood of inadvertent coding errors being introduced.
- Scope testing requirements prior to the launch of new schemes and implement testing prior to going live.
- Provide appropriate training for staff about code testing, branch control and the use of peer review.
What might help reduce risks of error?
You should:
- embed security from conception through to implementation and initialisation;
- contain development functions and not introduce them into live environments without suitable testing;
- have security as a core component (eg ‘security by design’ and ‘security by default’ principles);
- establish baseline configurations and guardrails and monitor for any unauthorised changes to those;
- educate your staff on how mistakes occur and why controls are important;
- consider automating repetitive processes to reduce the chance of error;
- change all default accounts, usernames, and passwords;
- remove all unnecessary features;
- undertake ‘Four Eyes’ (two person) quality control checks, requiring activities to be approved by two people;
- uninstall any unused applications or programs; and
- not ignore warnings or errors and plan time for security updates and bug fixes.
It’s never too late to look for security misconfigurations that already exist in your systems. This is just as important as preventing them.
Further reading
- Data protection by design and default - ICO
- Configuration management - NCSC
- Cloud security principles - NCSC
- Top cyber security misconfigurations – NSA and CISA
- Secure-by-design – CISA
- OWASP top ten – OWASP Foundation
What are the likely future developments?
No matter what security controls you put in place, there will always be a human element. Avoiding misconfiguration becomes ever more vital as more information is democratised and big data (high volume information which is complex or very varied in nature) is increasingly harnessed to inform decision-making. Open Web Security Application Project (OWASP) stated misconfiguration was one of the top 10 security issues, with default credential use and misconfigured storage being key factors.
Security relies on the analysis of security event information. Generative AI, with the ability to self-learn and backed by consistent data-driven algorithms, can provide a faster response to potential threats. Artificial intelligence may help reduce some of the issues human error creates, but it also creates new challenges, as understanding of new technologies often lags significantly behind implementation.
As emerging technologies, especially the development of products and tools which use AI increase, there is an ongoing need for privacy and security by design and default. Due to the large volumes of information needed to inform AI processes, misconfiguration at any level could lead to serious implications for people. An ever-expanding digital estate will continue to lead to more points of potential vulnerability and an increasing chance of error or misconfiguration.
However, technology also presents a great opportunity for more automated and streamlined development approaches. For example, infrastructure-as-code and continuous integration/ continuous deployment (CI/CD) pipelines having security controls and policies embedded from the start.
Human-centric security design is also set to increase, with more organisations focusing on employee experience, rather than relying on technical controls alone. Gartner predicts that by 2027, 50% of large enterprise Chief Information Security Officers (CISOs) will have adopted human-centric security design.
Further reading