In our rush towards a remote workforce, security had to make sudden and risky decisions in a” new normal.” We reconfigured security controls, made temporary policy exemptions, and shipped equipment to employee’s homes. At the same time, our SecOps teams work remotely, limiting visibility into the systems that may be compromised. Further, working remotely often results in a lack of access to reporting, alarms, and dashboards. Working blind is a nightmare for security pros.
Misconfigurations Lead to Incidents
“The only action type that is consistently increasing year-to-year in frequency is Error.”
– Verizon DBiR 2020
Data tells us that one of our biggest threats is due to misconfigurations, lax policies, and simple errors. The 2020 Verizon Data Breach Investigations Report (DBiR) confirms this and shows dramatic growth of misconfigurations of security equipment leading to data breaches.
While our industry talks a lot about ‘insider threats,’ one must think about this particular threat broadly. It’s not all about a nefarious employee, it’s mainly about day-to-day work being done by security, IT, and other employees that cause misconfigurations that lead to breaches.
Starting to understand, continuously, where those misconfigurations are and how to fix them should be a tenant of any SecOps team. Misconfigurations can be simple things like:
- Leaving certain ports open
- Not properly setting defaults to detect data exfiltration
- Not having the time and resources to keep up with the vast amounts of updates being made by trusted security vendors.
Web Applications Are A Front Door
The DBiR reports that 43% of breaches came in via web apps. Web apps are spun up so fast it makes IT and security heads spin. The era of DevOps and AWS/Azure has made it possible for anyone to create an app and deploy it for use within a company. Typically, they are never scanned even for the Open Web Application Security Project (OWASP) top vulnerabilities, and because they are often deployed without SecOps knowledge, they aren’t protected by the Web Application Firewall (WAF).
Even when configured “correctly,” the WAF may not be work as expected due to a lack of knowledge of WAF rules and the constant shifts on the app side. SecOps and IT teams need to look more closely at web application security but do it in a way that doesn’t stifle innovation and growth. The opportunity lies in security teams putting into place easy to understand WAF policies for web apps, then monitoring that WAF consistently in order to keep rule signatures configured correctly.
Finding Misconfigurations
Errors and misconfigurations sound bad, but they can be addressed. Controlling your risk profile is a strong move in security, but in some organizations, it will take a shift in thinking. While we will always search out the latest and greatest security tools to help defend and detect, we must also think of how we test how they are working and fix those tools when they don’t work as intended. What if you could SEE the risks hidden in errors, misconfigurations, and policy exemptions?
Where do you start? Here are six internal assessments to do now that will help you uncover and fix those pesky misconfigurations:
1. SSL decryption misconfiguration – Decryption can impact your app and network performance. Your IPS is not effective with SSL decryption misconfigured, but we often turn it off for performance or troubleshooting. Always test when it’s on to be confident that your IPS is truly working.
2. Default protection profile – Out of date protection profiles can cause issues. Confirm where you have profiles, usually in web browsers and web app security. We often don’t think of this or change it for performance. A lack of review of the protection profile puts web apps and business at risk.
3. No or minimal segmentation within a security zone – Lateral movement is a problem. We often forget to re-segment network security zones after a temporary shutdown (e.g. troubleshooting, maintenance). Remember to bring those security zones back up to ensure mitigate risk from lateral movement.
4. Inefficient Data Loss Protection (DLP)–Sensitive data loss can be a problem. Typically, it’s caused by a lack of knowledge of DLP behavior and where to go to configure them. It’s important to properly configure your NGFW/DLP to ensure employees (or others) can’t offload sensitive data accidentally or on purpose.
5. Inefficient cloud WAF rules protection – A leaky or holey cloud can create vulnerabilities. WAF rules, like NGFW, can be complex and always change. Test your WAF against the latest web application attacks to provide a clear path to set and fine-tune rules to stop attackers.
6. URL filtering policy misconfiguration – Web searches can make remote employees vulnerable, even with your VPN. URL filtering policies are often reconfigured during office moves or when enabling employees to work remotely and via VPN. Test that your filtering rules are in place, even over VPN, to help employees avoid spreading ‘malvertising’ or malware attacks.
About the Author: Scott Register is the Vice President, Security Solutions for Keysight Network Applications and Security Group.