Why Configurations Are the Wrong Thing to Get Wrong

So many times, we look beyond the mark. With our feeds constantly inundated with headline-grabbing news about AI-generated threats, nation states upping their cybercrime game, and sophisticated new forms of malware, we can be tempted to think that the bulk of cyberwarfare is going on "up there" somewhere.

In reality, most breaches still originate from unforced errors, and threat actors are just like anybody else – they don't like working harder than they need to. That's why the golden rule of cybercrime seems to be "try the easy stuff first." And some of the easiest things are doors that organizations think they've locked that they haven't. You might know this concept by its all-too-familiar industry term: misconfigurations.

According to IBM's 2023 Cost of a Data Breach Report, cloud misconfigurations specifically are the third most common initial attack vector, beat out only by phishing and compromised credentials. When companies can cut down on the third largest avenue of attack by just tightening a few screws, it's worth it to get it done right. Of course, getting a handle on misconfigurations – especially in a cloud environment – takes a little more work than that, but what organizations also may not know is that the tools on the market today are equipped to make it easier than we've been trained to think.

In this blog, we'll go over what the misconfigurations landscape looks like today, how so many can get it wrong, and how you can get it right.

Getting it wrong

The malicious potential of misconfigurations

The National Institute of Standards and Technology (NIST) defines a misconfiguration as, "An incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities." The line is drawn from a mistake in setting up a system and a vulnerability that could later be exploited.

As digitization expands and takes in more terrain, the looming risk of something not being configured correctly spreads to even more territory as well. Take, for example, IoT devices that connect to critical infrastructure via Operational Technology (OT). As noted by Fortra Solutions Engineer Faisal Parkar, "Misconfigured wireless access points open to many devices present an unnecessary exposure that bad actors can exploit to infiltrate an organization and potentially infect its systems with malware, which can hinder industrial operations and harm the company."

And OT is only one vector to worry about. Misconfigured database servers could make that database available to web searchers, misconfigured APIs account for two-thirds of breaches in the cloud, and while it has been estimated that anywhere from 11% to 65% of cloud security issues are attributable to misconfigurations, Gartner goes so far as to predict that by 2025, a landslide 99% of cloud-based breaches would be due to misconfigurations and other customer-side errors.

Why you can't "set it and forget it" with configurations

Even the best configurations drift. Say something is configured correctly – we'll call it a router's Border Gateway Protocol (BGP) Max Prefix filter value like in a recent event. This feature is designed to prevent routing table explosions, but when an update occurred, an unwarranted change was made to a critical configuration setting. The result? A large telecommunications company in Australia had to deny its customers (including health and emergency services) access to the internet, landlines, or mobile devices for a period of several hours.

In this case, no nefarious threat actors or sophisticated attacks were behind the disaster (although some probably wish they were). Speaking of these very misconfiguration issues, Anirudh Chand, Fortra's Head of Solutions Engineering for APJ, stated, "I’ve often seen organizations and teams distracted by the latest new cybersecurity products without having the basic security practices in place.”

And even these basic security practices need to be tweaked a little to get it just right. While out-of-the-box security on most services has come a long way, default configurations still don’t cut it. As an example, here’s what defaults can do. In 2023, an attack against some Programmable Logic Controllers (PLCs) at a U.S. water plant occurred because the default password and network ports were exposed to the internet and able to be exploited.

Default configurations offer much the same risks; as Faisal states, “The problem with leaving a default configuration is that these are defined by the vendor, not by you or your organisations,” meaning that “you are reliant on this setting being the same [even] if there is an update or upgrade.” Every update necessitates another look at those default configuration settings, and that could be a lot of work. As Jeff Moline, General Manager of Fortra’s Tripwire, notes, “The default settings that come with the implementation of these tools and solutions are often not configured securely, and many organizations do not invest the time and resources into ensuring that they are.”

Getting it right

Making your configurations work for you

You have a blank check when you’re spinning up your system’s settings; now is the time to make them work for you. As Michael Betti, a Field Systems Engineer for Tripwire, notes, “Companies that configured their Docker application to the CIS recommended security settings for container users and privileges were not as vulnerable to container escape exploits.” This may seem obvious, but the point was that these companies customized their application settings to what was recommended specifically for container users.

The same principles apply when trying to hit a sector-specific compliance benchmark. Dan Jamison, Federal Account Manager at Fortra, expounds on the U.S. Government Configuration Baseline (USGCB), a security configuration standard for IT devices used across the federal landscape, in a recent article. He explains that “While [each federal agency has] the autonomy to customize USGCB requirements to fit their individual needs, each adjustment should be documented, and agencies are responsible for ensuring proper implementation and testing takes place.”

Compliance with NERC CIP standards is very much the same story. Correct configuration to the NERC CIP standards is the only way to maintain compliance, and the penalties for non-compliance can be severe, even "limiting activities, functions, or operations, or placing the violator on a reliability watch list of significant violators,” according to NERC.

Let’s not forget the point of all these custom configurations in the first place: security and visibility. On this note, Betti explains that “Turning on the audit settings so that you’re logging all types of [system activity] gives you the best chance of being alerted to unusual activity. If you don’t turn on the audit settings (and many of them are turned off by default on Windows and Linux systems), you’re blind to what is actually happening on those systems.” Of course, these helpful configurations will only work when set up properly, and for that, it is helpful to implement a Security Configuration Management (SCM) program.

Security Configurations Management (SCM): Keeping Things Right

Every time we alter configurations – even as planned and for the right reasons – there is an increased chance of error. That is why an automated Security Configurations Management solution is essential to reduce human interference and still maintain constant configurations updating.

What is SCM?

SCM is “the practice of keeping your security configurations in top shape, making sure any changes are monitored, ensuring they are still optimized after taking in new services, and generally maintaining them so they remain comprehensive and effective,” states Moline. This, in turn, prevents breaches through the following mechanisms:

1. Establishing a configuration baseline – an “ideal state” - for the systems in your organization.
2. Continuous monitoring to ensure that those configurations stay within allotted compliance boundaries.
3. Change management that notes when configurations have been modified. This can help pinpoint problems when they occur.
4. Real-time notifications when configuration alterations occur that could become vulnerabilities. SCM can even be automated to restore the original configuration in the event of unauthorized changes.
5. Regular vulnerability assessments to ensure that no configurations resulted in an exploitable configuration, despite your best previous efforts.

And SCM can operate effectively across many different environments – cloud, on-premises, industrial, and managed services - being tailored to each one.

What to look for in a good SCM

When looking for a Security Configurations Management program that suits your enterprise, there are a few key things to keep in mind. When vetting the solution, look for:

1. Support for your operating systems and applications.
2. A way to identify “invisible” devices.
3. A way to customize policies to your industry and company’s specific requirements.
4. The ability to scale configurations scanning in a sustainable way across your enterprise (without draining too many resources at one time).
5. Remote device scanning.
6. Integration with your existing operational processes.
7. The ability to deal with authorized configuration exceptions.

Additionally, John Stanton, Senior Account Executive at Fortra, suggests that “it is smart to inquire about the controls offered for endpoint management, the standards and benchmarks offered out of the box, and how the vendor handles remote and disconnected devices,” to separate the sheep from the goats in the SCM space.

Tripwire SCM

The goal of any good SCM program is to keep your organization continuously compliant with all applicable industry standards – and to keep it safe. Security Configuration Management from Fortra’s Tripwire does this on a level deeper than other tools in its lane. Taha Dharsi, a Security Engineer at Tripwire, notes that, “Many other compliance products are tied to vulnerability management, but they lack the real-time ability to alert of an immediate change. Tripwire enables the creation of a custom policy against which an application can be checked. If it falls out of compliance quote of your golden configuration, it will issue an alert.” The result is that Tripwire SCM, “along with the customizable rules, offers incredible flexibility.”

Specifically, Tripwire’s SCM offers the key capabilities of:

• Finding vulnerabilities within configurations.
  • Establishing configurations baselines.
  • Continuously monitoring configurations for compliance.
  • Remediating any deviations.

Plus, by continuously enforcing up-to-date configurations across all an enterprise’s systems, “Tripwire Enterprise SCM policies integrate into broader security frameworks like Zero Trust,” notes Paul Stewart, Professional Services Architect at Tripwire. To see it in action, get a personalized demo of our SCM software or learn more by checking out our Guide to Mastering Configuration Management.

“It Ain’t What You Know...”

In a complex and threat-riddled environment, configurations are the wrong thing to get wrong. There are enough risks from network weaknesses we know about; there’s no need to plague ourselves with surprise attacks coming from ones we don’t. The sooner organizations can batten down the hatches and make sure the things they think are running properly really are, the safer those organizations will be.

On paper, if all of our security tools and network architecture elements performed according to plan, we could reduce our security workload by a significant amount. According the Verizon 2024 Data Breach Investigations Report, human error accounts for 28% of all breaches (with the human element being party to at least 68%).

Cutting down on misconfigurations is all about cutting down on surprises. And, cutting down on that third-most-common vector of attack. As Mark Twain reportedly said, “It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.” Correctly managing your configurations (and ousting misconfigurations) will make sure that what you think you know about your security posture really is so. And that should create enough of an effort barrier than any lazy, opportunistic, or vulnerability-hunting threat actors will look for easy wins somewhere else.