Security misconfigurations of key application stack components such as the operating system, the web server and the application server are all potential gateways to attacks. Unfortunately for us, most security configuration vulnerabilities are not rocket science — they’re out there for everybody to learn and use (or misuse) them. Security Misconfiguration is also a way for privileged insiders to hide their malicious activity against their firm’s systems. Usually a security misconfiguration will compromise just some part of the system, but don’t be surprised if the hacker completely compromises your entire system through one misconfigured system parameter.
The way to prevent attacks due to misconfigured systems is straightforward: follow well known best practices in system configuration, including doing the following:
1. Keep an inventory of all of your software and keep them up to date by patching them as soon as the patches are available.
2. Disable all unnecessary ports, services, accounts and privileges.
3. Make sure that the security settings in your development framework such as Spring and ASP.NET are well understood by the developers.
4. Make sure that error stacks from applications don’t reveal sensitive information to users.
5. Ideally, you must keep the development, testing, staging and production environments as similarly configured as possible, so you minimize the work involved in setting up a secure production environment.
6. Run periodical security scans and perform through internal audits to ensure that you catch misconfigured systems or systems with missing security patches.
7. Don’t overlook the security of code libraries, as these are just as vulnerable to attacks as system software.
8. Keep a strong separation between components to keep a misconfigured system from compromising the entire enterprise.