Cyber incidents and data breaches are often the result of computer security misconfigurations in a system’s network or software. We have found at Kivu Consulting that many of the same misconfigurations have allowed an intrusion to happen, an exploit to be executed or data to be extracted from a particular system. Security misconfigurations can also hamper an incident analysis by limiting the availability of important artifacts needed for a data breach investigation.
Listed below are the top 10 common computer security misconfigurations and how to avoid them:
1. Logging left at default or turned off
Many system logs, especially ones found in the Windows operating system, have a default size limit or a limit to the number of days that historical logs are kept. Many times, due to budget or storage constraints, standard system logging is left at the default setting or is disabled. This includes: account login/logout, failed login attempts, software installed and logs cleared. Unfortunately, when logs are disabled from collecting data, there is no record of what is happening to a computer system.
When an intruder guesses passwords or accounts, without system logs a business has no way of knowing if they are or were under attack. If an intrusion isn’t detected until several months later, important system records may be unavailable. Kivu recommends that every organization review its system logging procedures and ensure that critical information is stored for a sufficient amount of time.
Also, companies often record only failed login attempts. Logging failed attempts is a great way to detect if a computer system has been attacked, but what happens if the intruder actually gets in? If a company is not tracking successful logins, it might not know if an attack was successful. Tracking all logins is particularly important if a security breach has occurred from an unrecognized IP address (e.g. an IP address in China.)
2. 50 servers, 50 log locations!
In today’s environment of virtualized and cloud based computing, a system administrator may have to monitor dozens of servers across the globe. To simplify this task, Kivu recommends that companies collect logs from all of their servers into a single, centralized logging system, preferably one that indexes their logs, scans them for security events and alerts the appropriate staff member if an event is detected.
A centralized logging system that provides easy search and retrieval of historical log data is crucial for an incident investigation. Kivu has sometimes lost days while investigating a security incident, when every minute is critical, because important log data was stored in as many as 50 individual servers.
3. Former employee accounts not disabled or deleted
When an employee leaves an organization and has security credentials that allow remote connection or login from a workstation located on a trusted internal network, the ex-employee’s accounts should be immediately disabled. Kivu has seen many times that an old and still enabled VPN/administrative account has been used for intrusion.
4. Same root or local administrator password for all public facing computers
We see this system misconfiguration more often than any other problem. Many organizations’ servers have their root account (if Linux), Administrator, or super user account set with the same password across all systems, including: web servers, cloud based servers, and servers in the DMZ. If an intruder should compromise the root password, they may be able to log in to all of of a company’s servers, including the server that may be acting as an identity manager (e.g. SSH key master or domain controller).
Kivu recommends that organizations follow the simple practice of treating their public facing (untrusted) servers with the mindset that they will be compromised. We advise creating a different set of account credentials for the servers that reside on their trusted internal networks.
5. Root or administrator accounts can connect from the Internet or DMZ
The convenience of being able to troubleshoot and perform system and network administration remotely often comes with a cost. SSH, by default, does not allow the super user account root to log in remotely. Yet in many security incident investigations, Kivu has found that the system administrators have been ONLY logging in as root and have enabled root login from remote locations. This convenience also allows anyone from outside the organization to brute force the root password.
We recommend requiring system administrators to log in to a VPN before connecting to perform administrative or systems work. With cloud located servers, a VPN may not be an option. In that case, companies can lock down administrative access to only a few IP addresses. They can combine this action with a security appliance or snort on the host to detect and drop IP address spoofing. They can also consider an RSA certificate solution.
6. Default password on [insert network device name here]
A simple search on the Internet for “default password on insert network device vendor name here” will return all known default passwords for the admin or manager accounts on an organization’s network firewalls, routers and wireless access points. Any device setup manuals available online will also have the default passwords listed. Kivu recommends that companies change these defaults at configuration time and before deployment to avoid security incidents.
7. Administrative accounts using simple passwords
We continue to see easily guessed passwords used for administrative accounts. Dictionary words can be brute forced, even when vowels are swapped out with symbols, for example: “honeybadger” becomes “H0neyB@dger.” We have found that using a randomly generated 16-character password for root and other administrative accounts is beneficial for reducing an organization’s attack surface.
8. Remote desktop, public facing, default ports, no firewall or VPN
There are numerous exploits and vulnerabilities for many popular remote access software services. Kivu often sees no firewall or VPN between the computer offering remote access and the Internet. To reduce an organization’s risk, we recommend that companies implement remote access with multiple layers of security, preferably in a DMZ, where remote traffic is forced through an intrusion detection system.
9. No access control lists – EVERYONE group is granted access to everything
This issue is often common in smaller companies, non-profits and the education sector. Everyone in the organization has full access to all of the data. If an employee account is compromised, the account may have access to HR and Financial information, even though the employee does not work for those departments. Kivu recommends that organizations classify their data for different levels of confidentiality or access. Once data is classified, access can be controlled with security groups.
10. Absence of a regular software patching routine
Many security exploits that lead to an intrusion or data breach can be avoided by simply keeping up on software updates and vulnerability patches. If your company is not keeping up with software vulnerability patching, your public webserver or your customer database server is a security breach waiting to happen. We recommend that organizations have procedures in place to ensure that timely updates are performed.
While many of the above computer security misconfigurations are well known, they continue to occur on a regular basis. Kivu recommends that organizations regularly monitor their system logs and check with their software vendors for security recommendations particular to their computer environment. We also recommend that companies keep up-to-date by reading security blogs and checking in with the SANS Internet Storm Center.
For more information about Common Computer Security Misconfigurations, please contact Kivu Consulting.