Napoleon would have made a great hacker. Now the subject of a historical action thriller, the Emperor once allegedly said, "Never interfere with the enemy while he is in the process of making a mistake." So it goes in cybersecurity, as well. Some of the worst data breaches occur because of simple mistakes in configuration. These errors can be particularly problematic in SaaS environments, where every user can choose their security configurations--- potentially leading to a wide range of unintended vulnerabilities.
SaaS misconfigurations could be responsible for up to 63% of security incidents. People you don't control or even know about are making decisions (or forgetting to) about configurations that protect your most sensitive data. Securing your SaaS applications should be on top of any business's priority list, especially as cloud and SaaS become increasingly prevalent.
What is a Security Misconfiguration?
Security misconfigurations can be a source of SaaS security risks in two distinct ways. The first involves functional settings that affect security. For example, a SaaS-based storage service's default settings might enable anyone worldwide to access its store files. The second is specifically related to security settings. A security tool might have several configuration possibilities, allowing you to choose whether or not to, for instance, encrypt data or mandate multi-factor authentication. Each of these has implications for your security posture.
It's important to underscore that security misconfigurations can occur due to mistakes, negligence, or deficient policies, so human rather than technical factors. Suppose more than one department can set up SaaS security settings on the same SaaS app, for example. That's inviting a misconfiguration vulnerability---especially if no one can monitor the security settings across the organization.
Specifics will vary depending on each company, but most security misconfigurations arise from settings for data protection, encryption, user identity and authentication, and administrative privileges.
The Capital One incident in 2019 is arguably the most notorious misconfiguration data breach. In that case, a hacker exploited a misconfigured cloud firewall, assigned themselves AWS S3 bucket permissions, and exfiltrated over 100,000,000 customer credit applications. Numerous comparable episodes have occurred since then, leading to data breaches, penetration of networks, and phishing attacks.
5 Most Common Security Misconfiguration Vulnerabilities and Their Mitigation
1. Misconfigured Access Controls
The question of "who can access what?" is the core of many security controls. When access controls are not configured securely, organizations face significant risk exposure, opening doors for malicious actors to compromise identities and view, damage, or exfiltrate data.
Examples of misconfigured access controls include the use of default passwords, abandoned accounts, and out-of-date administrative access permissions. Alternatively, not requiring MFA can let hackers exploit "password spraying" attacks to gain entry into systems -- precisely what happened with the infamous attack on Citrix's IMAP-based cloud email server.
To detect misconfigured access controls, you can use an automated system that scans for IAM weaknesses, such as unused accounts and default password settings. For SaaS, solutions like Suridata's SaaS security posture management (SSPM) can monitor access control configurations across multiple SaaS apps. This is essential today because most companies depend on hundreds of SaaS apps.
2. Third-Party Configuration Risks/Unsecured APIs
Staying on top of secure configurations for a single application is challenging. But things get more complicated when you start connecting applications and growing your number of third-party configurations. Consider what happens when integrating two or more SaaS apps using external plugins. For example, you can link your customer relationship management (CRM) system with your email and SaaS-based file storage solution to improve productivity. However, each of these plugins has to be configured for security, and in many cases, this simply isn't possible.
The decisions about security settings may be up to end users who have no idea how to set up secure configurations. Or, the plug-in itself could also be no longer supported by the vendor and grow increasingly insecure over time---but you may not realize this until it's too late.
A related insecure configuration risk arises with application programming interfaces (APIs) integrating applications and data sources. While APIs enable streamlined, low-cost integration that's a boon to productivity and agility, they can also expose your organization to risk.
API configuration errors at the Texas Department of Insurance led to an information breach on nearly 2 million Texans in 2022. The data included birth dates, addresses, phone numbers, and Social Security numbers. The attack occurred because a web application was configured with an authorization flaw, resulting in a broken function level authorization (BFLA) attack on an API. In this kind of attack, the hacker sends a query to an API endpoint that should not, in theory, respond to it---but does, leaking sensitive information in the process.
API security platforms can help mitigate these types of risks. They can automatically scan applications and flag vulnerable APIs.
3. Default Configurations
The process of installing software requires choosing various security settings. However, default security configurations often remain in place if alternatives are not selected, which can lead to risk exposure. For example, the default settings might allow you to keep weak passwords or specific firewall ports open, and neither is great for security.
If the software in question is a single, centralized application installed and managed on-premises by the IT department, the chance of an insecure default configuration is lower. With cloud and SaaS, things get more complicated, as IT and security teams often lack visibility into the state of default settings. Manual auditing processes and employee training are helpful up to a point. However, it's best to use an automated solution that scans and flags insecure default settings to mitigate risk properly.
4. Insecure Data Storage Configurations
Data is vulnerable both when it's moving and when it's at rest. The security configurations of data storage are, therefore, critical to data security. Access controls matter, but encryption is arguably the most important countermeasure. However, encryption depends on configuration, and storage managers often get it wrong.
Even the US Army's Intelligence and Security Command unintentionally allowed a sensitive database---including top secret files---to be stored on Amazon S3 without configuring the cloud storage array for adequate user authentication.
Encryption is relatively easy to manage when an organization employs a few on-premises storage solutions. However, moving data into the cloud gets much more challenging, as employees can set up cloud storage using SaaS storage solutions without informing the IT department or security team.
Suridata can scan the entire SaaS environment to detect the location of data and its associated security configurations. The SSPM platform can flag data at risk and notify admins to fix the problem before a breach occurs.
5. Improperly Configured File and Directory Permissions
Hackers can sometimes guess file and directory names, in which case they can gather system information to orchestrate attacks. They might discover and download your compiled code, for example, and reverse engineer them to reveal your source code. This is, in part, a configuration issue. You can configure directory servers with strict control over access permissions and make it impossible to use easy-to-guess files and directory names.
Getting Secure with Your Configurations
As we've seen, many types of security misconfigurations can expose your organization to cyber risk. Even the more innocent vulnerabilities can lead to serious security breaches -- all it takes is a hacker to exploit a small mistake with default settings, a weak password, or a forgotten open port. SaaS environments are especially vulnerable to such vulnerabilities as the complexity of hundreds of integrations makes for poor visibility and a lack of control over your system.
Mitigation is possible with the right technology. Platforms like Suridata combine powerful SSPM with SSDR capabilities, helping you monitor your SaaS apps and quickly remediate vulnerabilities as they arise. Suridata scans vulnerabilities automatically and provides you with detailed findings, their priority based on risk level, and automated remediation guidance. Get a demo to learn more.
Top comments (0)