Revelations about a recent breach of confidential data in Utah highlights how configuration errors can end up being costly.
A recent data breach that exposed personal information for nearly 800,000 people in Utah also exposed how lethal configuration mistakes and policy failures can be in the world of security.
The breach occurred during an upgrade of the state’s Medicaid Management Information System, when a server storing personal data and using factory-issued default passwords was accessed by hackers. Last week, the director of Utah’s Department of Technology Services (DTS) resigned in the wake of the breach. The man who has taken his place in the interim, Mark VanOrden, told the Deseret News that multiple mistakes led to the breach.
“Two, three or four mistakes were made,” VanOrden was quoted as saying. “Ninety-nine percent of the state’s data is behind two firewalls, this information was not. It was not encrypted and it did not have hardened passwords.”
“This is like turning on Telnet or RDP or open FTP to meet an immediate business need, then not turning it back off,” he said. “Or putting in a ‘temporary hidden’ remote access capability to the manufacturing/SCADA/etc network and then leaving it there.”
Marcus Ranum, CSO of Tenable Network Security, agreed that open services are a critical class of configuration errors. Some examples include leaving a SQL service running on a machine that should not have one, or firewall rules permit incoming SQL to a particular subnet, he said.
“I’d say that, practically by definition, [configuration errors] happen because of poor configuration management…A common cause of problems is when you mix systems that are under CM with systems that are not – for example, you might have a decent corporate security set-up and an employee brings in a personal laptop in order to download some files from the internet, and accidentally brings a piece of malware into the corporate network on that laptop,” he said.
These errors usually are tied to changes like an upgrade or some immediate business need, for example a vendor needing connectivity to a particular server, Pescatore said.
Auditing change management processes is important, and most problems can be found with simple vulnerability scanning, he added.
“It should be done regularly – typically at least monthly, ideally weekly – and after any out of cycle updates,” he said. “The problems found have to be corrected. Too often long, long lists of misconfigurations are maintained for month without being fixed. Penetration testing is often useful to get management attention to the problem and to prioritize immediate problems that need to be fixed.”