The seemingly endless headlines about security and data breaches can lead us to believe that attackers have become more advanced than ever before. While perhaps their goals and approach are more organized, analysis of recent breaches suggests that their techniques, in fact, have not significantly evolved. As CDW looks back on the last three years of penetration tests, the results show that attackers continue to leverage common, known attack vectors. Our analysis of vulnerabilities we discover and those exploited in recent high-profile breaches reveals that insecure configurations remain a leading, ongoing security problem.
Configuration Management Leads Top Vulnerabilities
In the past three years, through our security assessment activities, CDW has identified over 9,000 vulnerabilities in our customers’ environments. CDW recently studied the redacted results of over 500 penetration test engagements, looking for trends in the vulnerability themes identified. The results might be surprising in that the top category of vulnerability discovered was configuration management issues.
Configuration management vulnerabilities are the result of situations where a software or firmware setting resulted in exposure of a security weakness. In other words, the necessary countermeasures for these vulnerabilities were already present in the environment, they just hadn’t been configured properly. In almost every case, the necessary setting to prevent the vulnerability is well understood and documented in best practices.
As we dig deeper into the vulnerabilities, we find that most of them are the result of missing configurations that have been recommended for years. For instance, we often find networks with easily broken LANMAN hashes being passed between Windows hosts. Since the release of Windows Server 2008, this authentication mechanism has been disabled by default, yet the insecure protocol is still in use on many networks. We also often find insecure encryption methods being employed. Whether it’s insecure SSL/TLS technologies still enabled or insecure encryption ciphers being used, these weaknesses are well documented, and their use has been discouraged for years.
New Technologies, Old Problems
One might expect that as newer IT capabilities are released, these types of issues would decrease. However, looking at recent high-profile breaches (Lion Air, Capital One and former Facebook contractor Cultura Colectiva) we see a common thread. Companies that are moving their data to the cloud are failing to configure their cloud storage according to secure best practices recommended by the cloud providers. Despite stories of cybercriminals with insider knowledge of the cloud technologies perpetrating these breaches, a brief analysis of each shows us the exploits used did not require proprietary understanding of the technologies. Instead simple security misconfigurations made accessing and exposing the data easy.
While it may be tempting to believe that as new technologies become more commonplace these types of issues will be reduced, the data suggests otherwise. In analyzing that same vulnerability data from our penetration tests over the last three years, a very telling trend emerges. Plotting the percentage of configuration management vulnerabilities discovered each quarter, the numbers show very little variation. In fact, adding a linear trend line to the analysis reveals a very flat 40% trend over the last 12 quarters.
Figure 1. Percent of vulnerabilities identified each quarter classified as configuration management issues
Addressing Threats with Strategy and Tactics
Digital transformation across all markets has fostered an increasingly dynamic and perhaps complex technology landscape. As new technologies emerge and grow in use, it is critical for organizations to be methodical in how they choose to leverage these new technologies. Expertise in emerging technology is often in high demand and short supply, making it hard for IT staff to stay informed of how to securely deploy these technologies in the environment.
However, as the data shows us, it is not just new technologies that are the issue. Well-known and documented insecure configurations continue to find their way into our IT environments. In some cases, it’s out-of-date solutions that are still in use in the environment that lead to this. Other times, it is a lack of secure system deployment standards. In some cases, it can even come down to over-utilized IT staff that simply cannot keep up with the pace of change in the environment.
Regardless of the cause, it is important that organizations take the matter seriously and, if necessary, seek out the assistance of outside experts. Working with consultants, such as CDW’s Security Advisory services, to develop an effective strategy for securely deploying technology is crucial. Leveraging penetration testing assistance, available from CDW’s Information Security practice, is a key tactical step to identify where insecure configurations slip through the cracks and remediate them before they’re exploited by adversaries. Ongoing diligence and creating an environment of continuous improvement remains the most effective way to thwart security threats.