Cyber incidents and data breaches are often the result of computer security misconfigurations in a system’s network or software. We have found at Kivu Consulting that many of the same misconfigurations have allowed an intrusion to happen, an exploit to be executed or data to be extracted from a particular system. Security misconfigurations can also hamper an incident analysis by limiting the availability of important artifacts needed for a data breach investigation.

Listed below are the top 10 common computer security misconfigurations and how to avoid them:

1. Logging left at default or turned off

Many system logs, especially ones found in the Windows operating system, have a default size limit or a limit to the number of days that historical logs are kept. Many times, due to budget or storage constraints, standard system logging is left at the default setting or is disabled. This includes: account login/logout, failed login attempts, software installed and logs cleared. Unfortunately, when logs are disabled from collecting data, there is no record of what is happening to a computer system.

When an intruder guesses passwords or accounts, without system logs a business has no way of knowing if they are or were under attack. If an intrusion isn’t detected until several months later, important system records may be unavailable. Kivu recommends that every organization review its system logging procedures and ensure that critical information is stored for a sufficient amount of time.

Also, companies often record only failed login attempts. Logging failed attempts is a great way to detect if a computer system has been attacked, but what happens if the intruder actually gets in? If a company is not tracking successful logins, it might not know if an attack was successful. Tracking all logins is particularly important if a security breach has occurred from an unrecognized IP address (e.g. an IP address in China.)

2. 50 servers, 50 log locations!

In today’s environment of virtualized and cloud based computing, a system administrator may have to monitor dozens of servers across the globe. To simplify this task, Kivu recommends that companies collect logs from all of their servers into a single, centralized logging system, preferably one that indexes their logs, scans them for security events and alerts the appropriate staff member if an event is detected.

A centralized logging system that provides easy search and retrieval of historical log data is crucial for an incident investigation. Kivu has sometimes lost days while investigating a security incident, when every minute is critical, because important log data was stored in as many as 50 individual servers.

3. Former employee accounts not disabled or deleted

When an employee leaves an organization and has security credentials that allow remote connection or login from a workstation located on a trusted internal network, the ex-employee’s accounts should be immediately disabled. Kivu has seen many times that an old and still enabled VPN/administrative account has been used for intrusion.

4. Same root or local administrator password for all public facing computers

We see this system misconfiguration more often than any other problem. Many organizations’ servers have their root account (if Linux), Administrator, or super user account set with the same password across all systems, including: web servers, cloud based servers, and servers in the DMZ. If an intruder should compromise the root password, they may be able to log in to all of of a company’s servers, including the server that may be acting as an identity manager (e.g. SSH key master or domain controller).

Kivu recommends that organizations follow the simple practice of treating their public facing (untrusted) servers with the mindset that they will be compromised. We advise creating a different set of account credentials for the servers that reside on their trusted internal networks.

5. Root or administrator accounts can connect from the Internet or DMZ

The convenience of being able to troubleshoot and perform system and network administration remotely often comes with a cost. SSH, by default, does not allow the super user account root to log in remotely. Yet in many security incident investigations, Kivu has found that the system administrators have been ONLY logging in as root and have enabled root login from remote locations. This convenience also allows anyone from outside the organization to brute force the root password.

We recommend requiring system administrators to log in to a VPN before connecting to perform administrative or systems work. With cloud located servers, a VPN may not be an option. In that case, companies can lock down administrative access to only a few IP addresses. They can combine this action with a security appliance or snort on the host to detect and drop IP address spoofing. They can also consider an RSA certificate solution.

6. Default password on [insert network device name here]

A simple search on the Internet for “default password on insert network device vendor name here” will return all known default passwords for the admin or manager accounts on an organization’s network firewalls, routers and wireless access points. Any device setup manuals available online will also have the default passwords listed. Kivu recommends that companies change these defaults at configuration time and before deployment to avoid security incidents.

7. Administrative accounts using simple passwords

We continue to see easily guessed passwords used for administrative accounts. Dictionary words can be brute forced, even when vowels are swapped out with symbols, for example: “honeybadger” becomes “H0neyB@dger.” We have found that using a randomly generated 16-character password for root and other administrative accounts is beneficial for reducing an organization’s attack surface.

8. Remote desktop, public facing, default ports, no firewall or VPN

There are numerous exploits and vulnerabilities for many popular remote access software services. Kivu often sees no firewall or VPN between the computer offering remote access and the Internet. To reduce an organization’s risk, we recommend that companies implement remote access with multiple layers of security, preferably in a DMZ, where remote traffic is forced through an intrusion detection system.

9. No access control lists – EVERYONE group is granted access to everything

This issue is often common in smaller companies, non-profits and the education sector. Everyone in the organization has full access to all of the data. If an employee account is compromised, the account may have access to HR and Financial information, even though the employee does not work for those departments. Kivu recommends that organizations classify their data for different levels of confidentiality or access. Once data is classified, access can be controlled with security groups.

10. Absence of a regular software patching routine

Many security exploits that lead to an intrusion or data breach can be avoided by simply keeping up on software updates and vulnerability patches. If your company is not keeping up with software vulnerability patching, your public webserver or your customer database server is a security breach waiting to happen. We recommend that organizations have procedures in place to ensure that timely updates are performed.

Conclusion

While many of the above computer security misconfigurations are well known, they continue to occur on a regular basis. Kivu recommends that organizations regularly monitor their system logs and check with their software vendors for security recommendations particular to their computer environment. We also recommend that companies keep up-to-date by reading security blogs and checking in with the SANS Internet Storm Center.

For more information about Common Computer Security Misconfigurations, please contact Kivu Consulting.

Many small-to-medium (SMB) size business owners believe that they aren’t important or large enough to be targeted by hackers. Unfortunately, we have found at Kivu Consulting that’s not the case. Smaller companies in general have fewer resources to spend on defending their networks, yet they have substantial assets that hackers can take. As larger organizations adopt better cyber defenses, many hackers specifically pursue SMBs as easier targets.

Hacking is becoming an increasingly serious threat to every type of company. Computer virus source code is readily available on the Internet, sometimes for free, making new malware easier to create by professional cybercriminals and “wannabe” hackers alike. Kivu recommends that all businesses have an Incident Response Plan in place, outlining the steps they’ll follow if a breach is suspected. With an Incident Response Plan, the SMB will be prepared to mitigate the damage and stop a bad event from turning into a business destroying disaster.

Here’s how a small business can get hacked and what hackers don’t want you to know:

#1. Anti-virus programs are generally ineffective

Malware is relatively easy to develop, and new malware is disseminated every minute, at an estimated rate of 80,000 instances per day. Often malware is targeted against a particular business or business sector, making it harder to discover because it is designed to avoid detection in specific environments. When malware is targeted against a particular victim, it will almost certainly get through.

Most anti-virus programs use the principle of “signature recognition”. A piece of code is recognized as a virus, the anti-virus company develops a remedy and a software update is disseminated to consumers. This process can take weeks, while malware today is often designed to last just minutes or seconds. According to a 2013 study by FireEye, 82% of malware disappears after just one hour and 70% of malware is designed for a single use. A 2014 three-month study by Redsocks Malware Research Labs found that 30% of malware in circulation was not detected or caught by common anti-virus products.

What can business owners do?

  •  Limit the data that employees and systems have access to
  • Lock every system down and make software uploads the exclusive role of the IT department
  • Get data offline to reduce the risk of it being stolen

#2. Firewalls face the wrong way

Hackers have developed tools to bypass firewalls, such as reverse shells, that can create an encrypted tunnel directly through a firewall. They can then have full, undetected access to a network, as if they were sitting at an employee’s workstation. Since firewalls are often set up to monitor only incoming traffic, they won’t see these outward illicit communications or catch valuable data being stolen.

What can business owners do?

  • Make full use of current network defenses, such as firewalls with built-in Intrusion Detection Systems
  • Ensure that their firewalls are set up to detect suspicious outgoing traffic as well as incoming traffic
  • Maintain logs (going back at least one month) of all outgoing, incoming and internal traffic

#3. The small business itself is the weakest link in the Cloud

More and more SMBs are transferring part or all of their IT infrastructure and data to the Cloud, including email, file storage and applications. Cloud-based solutions inevitably have better security than an SMB’s internal systems, but that security disappears if a hacker can pretend to be someone from within the SMB’s organization. When an intrusion occurs, it is often more difficult to identify and monitor the extent of the damage with Cloud computing, since security safeguards are no longer the role of the internal IT department.

What should SMBs do?

  •  Limit the likelihood of a hacker accessing a Cloud-based account by implementing a multi-factor authentication process for every user
  • Ensure that the Cloud service provider creates useful logs for traffic monitoring and auditing

#4. Advising employees not to open emails from “strangers” isn’t enough

Hackers can easily use social media like LinkedIn, Facebook and company websites to identify specific targets within an organization and then develop an email that looks as if it is coming from a trusted colleague. A 2013 report by Symantec found a 91% increase in this type of “spear phishing” over previous years. Once a hacker compromises one email account, a virus can be spread from employee to employee, until the hacker has access to an SMB’s finances or its most valuable customer data.

What should SMBs do?

  • Train employees to be cautious about what they publicly post online so that they are less of a target to hackers
  • If there’s the slightest doubt about an attachment or link to an online document site, encourage employees to pick up the phone and call the sender

#5. Encrypting only your company’s portable devices isn’t enough

The hard drive of a desktop computer can be worth thousands of dollars to hackers and can be removed in less than a minute. Even when a computer hard drive is encrypted, some forms of encryption take effect only when the computer is powered down and may be ineffective when the device is placed in “sleep” or “power saving” mode.

What should SMBs do?

  • Continue to encrypt all portable devices and select devices with built-in layers of safety
  • Encrypt all computer hard drives, or ensure that no sensitive data can be stored on them
  • Teach employees not to place their laptops in sleep mode while unattended, or when they take a laptop off-site

Click here to read the full white paper.