Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Configuration Mistakes Make for Costly Security Gaps

Revelations about a recent breach of confidential data in Utah highlights how configuration errors can end up being costly.

A recent data breach that exposed personal information for nearly 800,000 people in Utah also exposed how lethal configuration mistakes and policy failures can be in the world of security.

Revelations about a recent breach of confidential data in Utah highlights how configuration errors can end up being costly.

A recent data breach that exposed personal information for nearly 800,000 people in Utah also exposed how lethal configuration mistakes and policy failures can be in the world of security.

The breach occurred during an upgrade of the state’s Medicaid Management Information System, when a server storing personal data and using factory-issued default passwords was accessed by hackers. Last week, the director of Utah’s Department of Technology Services (DTS) resigned in the wake of the breach. The man who has taken his place in the interim, Mark VanOrden, told the Deseret News that multiple mistakes led to the breach.

“Two, three or four mistakes were made,” VanOrden was quoted as saying. “Ninety-nine percent of the state’s data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords.”

Configuration ErrorsThe use of default passwords is one of the most common configuration errors found in IT, as is leaving on debug functions, Gartner analyst John Pescatore told SecurityWeek. But the biggest set of configuration errors are temporary changes that are never undone.

“This is like turning on Telnet or RDP or open FTP to meet an immediate business need, then not turning it back off,” he said. “Or putting in a ‘temporary hidden’ remote access capability to the manufacturing/SCADA/etc network and then leaving it there.”

Marcus Ranum, CSO of Tenable Network Security, agreed that open services are a critical class of configuration errors. Some examples include leaving a SQL service running on a machine that should not have one, or firewall rules permit incoming SQL to a particular subnet, he said.

“I’d say that, practically by definition, [configuration errors] happen because of poor configuration management…A common cause of problems is when you mix systems that are under CM with systems that are not – for example, you might have a decent corporate security set-up and an employee brings in a personal laptop in order to download some files from the internet, and accidentally brings a piece of malware into the corporate network on that laptop,” he said.

These errors usually are tied to changes like an upgrade or some immediate business need, for example a vendor needing connectivity to a particular server, Pescatore said.

Advertisement. Scroll to continue reading.

Auditing change management processes is important, and most problems can be found with simple vulnerability scanning, he added.

“It should be done regularly – typically at least monthly, ideally weekly – and after any out of cycle updates,” he said. “The problems found have to be corrected. Too often long, long lists of misconfigurations are maintained for month without being fixed. Penetration testing is often useful to get management attention to the problem and to prioritize immediate problems that need to be fixed.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.