Learning Library

← Back to Library

Critical Security Misconfigurations to Avoid

14m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

Cloud misconfigurations rank as the third‑most common cause of data breaches in IBM’s 2023 report, trailing only phishing and stolen credentials, highlighting the critical need to address configuration errors.
The leading security misconfiguration identified by the NSA and CISA is the use of insecure defaults—such as default admin credentials, enabled legacy services like Telnet, and self‑signed certificates—that attackers can easily discover and exploit.
Proper system hardening involves removing or disabling unnecessary services and replacing default settings with secure, production‑ready configurations to eliminate attack surfaces.
Improper separation of user and administrative privileges violates the principle of least privilege, making it essential to enforce strict privilege management so users only have access needed for their role.

Sections

Full Transcript

# Critical Security Misconfigurations to Avoid **Source:** [https://www.youtube.com/watch?v=nwjROTpVpQQ](https://www.youtube.com/watch?v=nwjROTpVpQQ) **Duration:** 00:14:23 ## Summary - Cloud misconfigurations rank as the third‑most common cause of data breaches in IBM’s 2023 report, trailing only phishing and stolen credentials, highlighting the critical need to address configuration errors. - The leading security misconfiguration identified by the NSA and CISA is the use of insecure defaults—such as default admin credentials, enabled legacy services like Telnet, and self‑signed certificates—that attackers can easily discover and exploit. - Proper system hardening involves removing or disabling unnecessary services and replacing default settings with secure, production‑ready configurations to eliminate attack surfaces. - Improper separation of user and administrative privileges violates the principle of least privilege, making it essential to enforce strict privilege management so users only have access needed for their role. ## Sections - [00:00:00](https://www.youtube.com/watch?v=nwjROTpVpQQ&t=0s) **Dangerous Default Configurations** - The speaker highlights that default settings—often containing easily discoverable credentials—rank as the top cloud misconfiguration causing data breaches, urging organizations to replace them before moving systems into production. - [00:03:26](https://www.youtube.com/watch?v=nwjROTpVpQQ&t=206s) **Managing Privilege Creep and Least Privilege** - The speaker explains that privilege creep occurs when permissions are granted but not revoked, emphasizing the principle of least privilege, the need to promptly remove unnecessary rights, maintain admin‑user separation, and avoid shared superuser credentials to reduce security risk. - [00:06:31](https://www.youtube.com/watch?v=nwjROTpVpQQ&t=391s) **Combined Monitoring and Segmentation Needs** - The speaker emphasizes using both host‑based and network‑based monitoring together with proper network segmentation to achieve full visibility and containment of malware propagation. - [00:09:40](https://www.youtube.com/watch?v=nwjROTpVpQQ&t=580s) **The Crucial Role of Automated Patching** - The speaker emphasizes upgrading outdated software and employing automated or regularly scheduled patch management to prevent known vulnerabilities from being exploited, even on systems that don’t contain sensitive data. - [00:12:43](https://www.youtube.com/watch?v=nwjROTpVpQQ&t=763s) **Moving Toward Passwordless Multi‑Factor** - The speaker advocates replacing single passwords with a multifactor, password‑less approach—combining biometrics, device possession, and cryptographic private keys (e.g., FIDO) to achieve stronger, less compromise‑prone authentication. ## Full Transcript

0:00A system is only as secure as it's configured to be. 0:02And according to the IBM 2023 cost of a data breach report, 0:07the number three reason for data breaches was cloud misconfigurations. 0:12It trailed just phishing and stolen credentials. 0:16So if it turns out that misconfigurations are this common and this costly from a security standpoint, 0:22it bears that we might take a closer look at the top five security misconfigurations, 0:29according to the NSA and the Cybersecurity and Infrastructure Security Agency. 0:34And stick around to the end. I'll throw in a bonus topic. 0:37Okay. What came out at the very top of the list? 0:40Number one, defaults. 0:43It turns out I wrote a book 23 years ago called 'What Hackers Don't Want You to Know.' 0:48And one of the chapters in that was called 'Defaults Are Dangerous.' 0:52And it's still true 23 years later. 0:54In fact, the default configuration for a lot of systems 0:58will include credentials that can be easily discovered on the web. 1:03You can just go do a search and find out that the default configuration for this particular operating system, 1:09this middleware, this application has, for instance, an administrator ID that's set up and let's say it's called admin. 1:17And the password for that ID is guess what, admin. 1:22Well, that's fine for a default configuration. 1:24If you're just setting the thing up, you've got to set it as something. 1:27But this is not what you want to put in production. 1:29So there's a case of a dangerous default, if you were to just leave it as is and put it into production. 1:36Another thing, default services. 1:38So, for instance, the system may be when you install it, have lots of different capabilities turned on. 1:45There may even be some legacy services that you don't use anymore, 1:48let's say Telnet and it's turned on on this particular web server and you don't use it. 1:53Well, if you don't use it, turn it off. 1:56Remove the service completely. 1:58We don't want anything on that we don't need to have on. 2:01And then another example would be default configuration parameters. 2:06So for instance, maybe it uses a default self signed certificate in a web server because that's what you need just to get the thing up running, 2:15but that's not intended to be used out on the worldwide Internet where all kinds of attacks can occur. 2:22So we need to change these kinds of things in order to make sure that the system is secure. 2:28We refer to all of these changes as hardening, hardening as a way where we're basically taking the system that is soft in its original configuration 2:37and hardening by removing anything that's not necessary. 2:41Number two on the list was improper separation between user and admin capabilities. 2:47So here we're basically talkingabout managing privileges. 2:51And privileges are something that are very important for us to focus on in security. 2:55There's the well-heeled principle of least privilege, 2:59that says someone should only have access to the extent that they need it in order to perform their job. 3:05So, for instance, when somebody comes into the organization, I give them certain admin rights 3:11and then maybe their job changes or shifts. I add more admin rights or more user rights, 3:17and this continues to just increase and increase and we end up with what is referred to as privilege creep. 3:26Privilege creep basically says, we're very good at giving capabilities. We're not so good at taking them away. 3:32In principle, of least Privilege says we need to be equally good at both. 3:37In fact, it's most important from a security standpoint that I take these things away the moment they're no longer needed, 3:43because those could ultimately be used against us at some way, whether intentionally or unintentionally. 3:49If a bad guy gets into your system and your system is overly privileged, then it could be leveraged against the organization. 3:56We want to avoid that. 3:57We also want to maintain that separation between administrative users and regular end users. 4:05So we're a regular end user, maybe doesn't even need to be able to change the configuration on their actual system. 4:13Maybe we want to turn it so that they can't even install software on their system. 4:17All of that is done by the administrator and then pushed out to the user system. 4:21So that's just one example of a security policy that we might want to implement. 4:25Now, another thing that we might want to take a look at is a problem that very often occurs, 4:31where we basically have a few administrators and their responsibility is to manage this particular system. 4:39So what we do is we have them log in a super user and now they can do whatever they want to on that system. 4:46So we share the password, the credentials across all of the administrators, and maybe there's a number of them out here. 4:52What that means is any change that happens here, 4:56I don't know who actually did it, 4:58because any one of these guys could have said he could say, no, he did it and he could say, no, he did it, and there's no way to prove. 5:05So this is a big problem. 5:06We need a solution for this. 5:08And in fact, we have one. 5:09It's called Privileged Account Management Privilege Access Management System. 5:16If we install something like this, then we put these users here, 5:20and they're able to now, instead of logging directly in as the super user, they log into the palm system, 5:28authenticate and prove that they are allowed to be on this system, 5:32get the credentials for the system, log in, do their work, and then when they're done, they check these credentials back into the system. 5:40And now this guy no longer has access. 5:42If this guy needs access, then he comes and checks the credentials out. 5:46The nice thing being, I always know who is responsible at any point in time. 5:52And that way we don't overly share the admin capabilities. 5:56You have them only for as long as you need them. 5:58And that's the principle of least privilege. 6:02Number three on the list is insufficient network monitoring. 6:07Specifically referring to the internal environment. 6:10So let's take out, for instance, here's a very simple network of only four systems. 6:15Obviously, your environment would be more complicated than this. 6:18Let's say I put some kind of host monitoring capability on these systems. 6:23Well, that's good news, because now I can tell that these three hosts have been infected. 6:28So those alarms I will get. 6:31So I know what's infected, but I don't know how it got infected. 6:35I don't know where it entered and where it's going to spread to. 6:39Now, that's what the host based monitoring would give me if I had a network based monitoring. It would do just the reverse. 6:48It would tell me, Well, the malware entered here and then it spread to this system in this system, 6:54but it won't tell me all of the implications on each one of those systems. 6:58So, in fact, what I really need in the best of all possible cases is both. 7:04I need to monitor both the hosts and the network so that I get a complete picture. Because after all, you can't secure what you can't see. 7:12So visibility is incredibly important in this case. 7:16Number four on the list is network segmentation, 7:22insufficient network segmentation specifically. 7:25In other words, a lot of people create what is effectively we refer to this as a flat network. 7:32A flat network is one that is more vulnerable because of a vulnerability that happens here, can spread rapidly. 7:40As you seen as you've seen here in the first part of this, 7:43But if I add something like, let's say firewalls, firewalls, give me more control. 7:50So control increases. 7:52So if I added, let's say, a firewall here to separate, 7:56then maybe I can block the spread of whatever this malware or this attack, 8:00so that something that happens here doesn't necessarily spread to all the other systems. 8:05So flat networks are very efficient, but more dangerous, and we have less control over what happens in them. 8:12Another thing we probably want to consider as we're separating networks is look to separate based upon zones of trust. 8:19Systems that are more vulnerable, systems that are more sensitive would be in their own zone. 8:25Systems, maybe, for instance, in some organizations you have a large I.T. sort of environment, 8:30and then you might have an OT, operational technology or Internet of Things or maybe a guest network. 8:40And it would make sense to provide some separation between those two, 8:44because the vulnerabilities here you don't want to spread into here. 8:49Number five on the list of top misconfigurations is poor patch management. 8:55Patches are the things that we apply in order to fix broken aspects of software. 9:00It turns out that all software has bugs. 9:05If you don't believe me, just run some software for a little bit of time and you'll discover some. 9:09Also, it turns out that a certain percentage of those bugs will necessarily be security vulnerabilities. 9:16So that means unpatched software has bugs. 9:19And some of those will be security vulnerabilities. 9:22It turns out the problem even gets worse when you consider vulnerabilities over time. 9:27The older software gets, the more vulnerabilities it will have if you have not patched it. 9:33And in fact, if it gets really old, there's a point where the vendor or the producer of the software won't be providing patches for it either. 9:40That creates a real problem as we end up now with this thing gets even more vulnerable over time. 9:47So what should you do about this? 9:49Well, one thing clearly is if you've got old software, you should upgraded. 9:54You should get to the latest versions of that software because, again, it's a pain a lot of people don't want to do it. 10:01But if you don't, this is what's sitting here and the bad guys know about it. 10:05These vulnerabilities have been published. 10:07If for no other reason than once the patch came out, it was explained. 10:11So now the bad guys know what they can attack. 10:13We need to make sure our stuff is upgraded. 10:16What else do we need to do? 10:17Well, the best thing when it comes to patching is automated patch management. 10:22That way it happens as fast as we can do it, 10:25or very nearly at that speed, and we're not reliant on manual. 10:30If you're going to be reliant on manual, then you need at least 10:34need to have some sort of regular schedule, some sort of patch cycle, 10:38where you're looking and saying every so often we're going to go out and make sure we have the latest software on any important system. 10:45And by the way, the ones that don't contain sensitive data 10:48can also come back to bite you because they can be an attack point. 10:51Someone gets into those and then leverages from that point to get into the more sensitive systems. 10:57So we have to be careful about all of these, 10:59and we've also got to look at the whole landscape. 11:02I've got to look at operating systems. 11:04I need to make sure that all of the apps related to those are also patched. 11:09I even need to look at firmware, and this is one that's often overlooked because it's a little bit harder to figure out. 11:15So ideally we want it automated. 11:17Secondly, have a regular schedule, but in all cases, make sure you're on the latest level. 11:24Congratulations. 11:25You've made it this far, so you deserve a bonus. 11:28The bonus topic. 11:30Poor credential hygiene. 11:32In other words, bad passwords is what this mostly boils down to. 11:38Passwords are a big problem for us. 11:40In fact, we found that more than 35% of cloud security incidents, according to the 2023 X-Force Cloud Threat Landscape report, 11:52more than 35 were due to compromised credentials. 11:57These were valid credentials that somebody got a hold of and misused. 12:01So we want to do something to make this better. 12:04That's a significant number, 12:05and that's something that is coming back to bite us on a regular basis. 12:10As I've said before, when it comes to passwords, 12:13this is the important thing to remember. 12:15Not so much complexity, but length. 12:18Length is strength when it comes to passwords. 12:20The longer your password in general, the harder it is to crack. 12:23Now, if you add some complexity to it, then that's good. 12:27Like adding numbers and special characters in mixed cases. 12:30But that often adds more confusion for the user and doesn't always necessarily make it harder to crack. 12:37Length is strength when it comes to passwords, at least 15 characters at a minimum. 12:41We should be doing longer than that. Really. 12:43So thinking in terms of past phrases, 12:46how about something that's even better than that? 12:48How about multifactor authentication? 12:50Because the password is a single factor of authentication, something you know. 12:54Let's combine it with something you have and something you are or some version of those things. 13:00So multifactor authentication will be stronger. 13:03If it's done properly, then a single password would be by itself even a very well-chosen password. 13:09How about this? 13:09A well-chosen password, plus a biometric. 13:12Even better still, but even better still than all of that. 13:16Let's get rid of the passwords. 13:18Let's do multifactor authentication and use a passwordless authentication protocol like FIDO. 13:25I did a video on this recently. 13:27Something like FIDO would allow us to get rid of passwords entirely. 13:30We use stronger cryptographic methods like private keys 13:35that are stored on the user's device and therefore are not subject to being sniffed and things like that because they're not sent over the Internet. 13:43So if we could do something where we totally eliminate the password, then the credentials are much harder to be compromised. 13:50So something like multifactor authentication, I use my face to unlock my phone. 13:55That's something I am. 13:57The phone is something I have. 13:59And then whatever the private key I'm using with, this is something that is known. 14:03And therefore all of those things together give us three factors 14:07in one single shot. 14:08This would be a far better solution and hopefully we can reduce this number substantially. 14:15those who fail to learn from history, are destined to repeat it. 14:18So make sure you learn from these common mistakes 14:21so that you don't have to relive the consequences.