Security Misconfigurations and the Apocalypse: The Result of Human Error

Jeff Styles

As security threats evolve and become more advanced, managing your firewall or cloud security group configurations across the hybrid enterprise has never been more vital. Security analysts and engineers spend the vast majority of their time worrying about vulnerabilities but should be worried about something else. Through 2023, 99% of all firewall breaches will be caused by misconfigurations, not flaws, according to Gartner research.

Misconfiguration Outcomes

  • Compliance violations
  • Avenues for breaches
  • Unplanned outages

We’ve heard of a zombie apocalypse, a robot apocalypse and many others – all the theoretical result of human activity. These misconfiguration outcomes aren’t anything new and have enough significance to cause major damage, potentially apocalypse-level damage. So, what’s going on?

Common Misconfigurations

Here’s a small sample of firewall or cloud security group misconfigurations that can violate compliance, cause outages or open the door for hackers.

  • Overly permissive access
  • Incorrect access (zone, subnet, host)
  • Open ports to known vulnerable hosts
  • Rules that bypass the proxy (violate egress policy)
  • Access that violates internal or regulatory compliance standards

Why it’s Still Happening

  • The rate of change of technology is outpacing our ability to keep up with it
  • Lack of proper training
  • Lack of sleep due to late-night change windows (overworked staff)
  • Policy complexity is out of hand

Understanding the Cyber-Attack Chain

Cybercriminals continue to take advantage of human error and mistakes in infrastructure configurations to launch attacks. In 2018, IBM revealed that there was a 424% increase in data breaches due to cloud misconfigurations that were caused by human error.

Here are the phases of a typical attack chain, bolded phases signify where common security policy misconfigurations are often exploited, allowing the attack chain to proceed:

  1. Recon/Enumeration – URL hacking, port scanning, permission probing, etc.
  2. Weaponization – Coupling exploits with backdoors/rootkits into deliverable payloads
  3. Delivery – Delivering weaponized bundle to the victim via email, web, TCP/UDP, etc.
  4. Exploitation – Exploiting a vulnerability to execute code on a victim’s system
  5. Installation – Installing malware on the asset
  6. Command & Control – Command channel for remote manipulation of the victim
  7. Action & Objective – Hands-on keyboard access, intruders accomplish their original goals

Understanding the attack chain is vital to helping businesses construct a proper, layered defense system, remember it only takes one point of mitigation to break the chain.

Here Comes the Storm

As the technology we love continues to evolve, it is growing at a rate that outpaces our ability to keep up with it. For example, virtually all cloud data breaches to date have been caused by configuration errors. These errors come in two flavors: Improper use of the native security controls offered by cloud providers and organizations deploying misconfigured servers, storage, firewalls, etc. in the cloud.

In other words, misconfiguration is code for human error.

Taking Cover with Automation

Misconfigurations will almost always occur during the change process, e.g. new rules are added, modified or deleted. The key benefit of automation is the elimination of guesswork and manual input, especially when rolling out error-prone, late-night changes across multiple vendors, platforms and data centers. The FireMon engine will allow you to stay focused on what matters most: security.

Automation Benefits

  • Reduction of human error by preventing mistakes that increase your attack surface
  • Harmony: Removal of the friction between DevOps and SecOps, deliver security at speed
  • Increase security agility while lowering SLAs
  • Increase operational efficiency while reducing operational and security costs
  • Stop the revolving door of compliance violations by checking compliance proactively prior to implementation

Whether you use a traditional SecOps or fast-paced DevOps, FireMon gives you the tools to prevent accidental misconfigurations, and the business disruptions and security threats that accompany them.

Additional Reading