InfoSec Insider

Top 5 Configuration Mistakes That Create Field Days for Hackers

Having appropriate security configurations requires your applications, servers and databases to be hardened in accordance with best practices.

Sometimes it’s the little things that lead to big consequences. When it comes to cybersecurity, hacks more often than not stem from minor missteps – or even completely preventable, obvious mistakes.

Common security mistakes and overlooked misconfigurations can open the door for attackers to drop malware or exfiltrate data – or even sabotage operations. Avoid the following top five configuration gaffes to reduce the threat exposure to your organization.

It almost seems too obvious to include here, but leaving default usernames and passwords unconfigured for databases, installations and devices is, by far, one of the most common and easy mistakes to make. It’s also easy for a hacker to exploit: Leaving default credentials on network devices such as firewalls and routers, or even on operating systems, allows adversaries to simply use password-checking scanners to walk right into the network.

In more skilled setups, hackers can simply stage a series of scripted attacks geared at brute-forcing devices by automatically trying various combinations of usernames and passwords again and again until one works; these usually focus on either default usernames and passwords, or basic passwords like “QWERTY” or “12345.”

Attackers are getting savvier too. Researchers early last month uncovered a Python-based web scanner, Xwo, that can easily scan the web for exposed web services and default passwords. After collecting default MySQL, MongoDB, Postgre SQL and Tomcat credentials, the scanner forwards the results back to a command-and-control server.

Bottom line: Even a 12-year-old with some internet access at home could carry out a major breach, just by using one of these freely available tools on the internet to check for default credentials.

Having strong and complex passwords isn’t the only action that needs to be taken when securing your environment. Oftentimes, I see environments that leverage the same user account and password across every device in a fleet of endpoints. Sure, to an IT administrator this may be convenient, but it’s not necessary, and can grant an attacker the ability to pivot across every machine from just a single compromise of one of those computers.

From there, attackers can leverage credential dumping programs to get their hands on the passwords, or even the hashes themselves, and then – it’s open season. Avoid password reuse at all costs and disable any accounts that are not required.

Any external-facing device that’s connected to the internet should have layers upon layers of protection to combat attempts to gain access from simple methods like a brute-force attack. Services like Remote Desktop Protocol (RDP), a proprietary protocol developed by Microsoft, can provide administrators an interface to control computers remotely. Increasingly though, cybercriminals have taken to leveraging this exposed protocol when it’s not configured properly.

While this attack vector has been popular for years, the FBI and the Department of Homeland Security issued a public-service announcement last fall encouraging businesses and private citizens to review and understand what type of access their networks allow, in order to minimize chances of a compromise. In particular, the FBI warned that ransomware like CrySiS and SamSam were increasingly targeting U.S. businesses through open RDP ports. This is happening both by brute-force and dictionary-style attacks, according to the alert; the latter is a technique for defeating an authentication mechanism by trying to determine a passphrase by trying hundreds or sometimes millions of likely possibilities, such as all the words in a dictionary.

Administrators should leverage a combination of strong/complex passwords, firewalls and access control lists to reduce the likelihood of a compromise.

This, like leaving default credentials on a server or system, may seem like another potential no-brainer: Keeping operating systems up to date and patched appropriately can prove significantly effective at preventing a breach.

There are numerous exploits and vulnerabilities found daily, and while it can be difficult to keep up, it can be game over if administrators aren’t properly maintaining their patch levels.

Ironically, in the breaches I’ve worked on where the attacker’s gotten in via a vulnerability, a majority of them have been bugs that are ridiculously old. There’s hype around detecting and preventing zero days, but the most common vulnerabilities that are exploited can be classified as digital fossils. It shouldn’t come as a surprise: attackers will continue exploiting old bugs as long as they’re effective.

Disabled logging doesn’t necessarily allow an attacker to get into a system, but it does allow them to act like a ghost while they’re in there. Once in, hackers can move laterally through a network in search of data or assets to exfiltrate. Without logging, they can do all this while leaving zero tracks behind.

This creates a true needle-in-a-haystack scenario for incident responders and forensic analysts, and makes their job that much harder when trying to reconstruct what may have happened during an incident or intrusion.

Enabling logging and having it sent to a centralized location, like a security information and event management (SIEM) platform, is highly recommended. That data will provide the breadcrumbs needed by forensic analysts during an incident response investigation to reconstruct the attack and scope the intrusion. Additionally, it can prove highly useful when it comes to responding to threats that may have triggered an alert from an event in the collection of said logs.

Having appropriate security configurations requires your applications, servers and databases to be hardened in accordance with best practices. Leaving these devices or platforms in a default or vulnerable state only makes the job of an attacker that much easier.

Hackers look for low-hanging fruit. It may not happen right away, but they’ll discover these misconfigurations at some point, gain unauthorized access – and depending on their intent – steal sensitive data or cause damage. Avoid becoming an easy target and follow these precautionary steps to protect yourself and your data.

(Tim Bandos is vice president of cybersecurity at Digital Guardian.)


Suggested articles