Understanding What Server Misconfiguration Is
Security misconfiguration is a common issue in organizations that occurs when a server or web application is not configured correctly, leaving vulnerabilities that can potentially be spotted by attackers leading to server misconfiguration attacks.
Organizational network infrastructure is constantly being altered and updated for various reasons, such as configuration modifications and sometimes this can leave components exposed or security controls unconfigured. When this happens, businesses become susceptible to data breaches and leaks that could potentially cause large-scale damage, such as StoreHub’s recent data leak in Malaysia.
According to Statista, 18 million data breaches were recorded globally in the first quarter of 2022 compared to 192 million breaches in the first quarter of the previous year. The 2022 Thales Data Threat Report stated that 45% of companies had suffered a data breach in 2021, excluding those that had not been detected. The United States also came out as the country with the highest number of data breaches in the world with the 2021 Identity Theft Resource Center’s Data Breach Report finding that there were 1862 data breaches in that year.
Globally, the statistics on data breaches remain at an all-time high with nearly every industry reporting cases. In 2021, IBM recorded the cost of a data breach to have risen from USD 3.86 million to USD 4.24 million; the highest average cost of a data breach in seventeen years. So, how can organizations improve their understanding of server misconfigurations in order to better protect their servers and potentially avoid becoming victims of server misconfiguration attacks? What precautions can be taken?
StoreHub Experiences One Million Customers' Data Leak
In January 2022, a data leak was discovered in a StoreHub server by cyber security experts and security product reviewers - Safety Detectives. Safety Detectives reported the compromise after it was detected by their researchers, who then immediately sought to bring it to StoreHub’s attention. According to the report released by Safety Detectives, the server was discovered to have no encryption or password protection, exposing the data of over one million users of StoreHub. The data was that of customers as well as clients that included restaurants, retail stores, and the data of their respective staff containing information such as employee names as well as their work hours. StoreHub is a point-of-sale tech company that hosts a platform that provides a wide range of online services to businesses by linking them with their consumers. The services include sales, invoices, delivery tracking, and other automated services that retailers can use to run their businesses online. This means that the data further had customers’ personal information such as their names, contact details, purchase information, addresses, contact details, payment information (masked credit card info), and more. The size of the leak amounted to over 1TB of data.
Even though the leak was discovered on January 12th, 2022, it was said to have been exposed since late November 2021 and had remained undetected. After failing to reach StoreHub, Safety Detectives reached out to Malaysian Cert and the server host, AWS, both of whom responded immediately, with the server being secured by February 2nd. A statement was released by StoreHub in which they refuted that any time had passed between the misconfiguration discovery and their resolution of the matter, saying that they resolved the matter as soon as it was discovered by them. “Upon being informed of the occurrence on Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours." The tech company also denied that any sensitive financial data or passwords had been compromised, and promised that they were taking measures to verify and prevent future potential vulnerabilities with an efficient security company. Nonetheless, the incident is a perfect example of how long misconfigurations can go undetected, and organizations can only hope that unethical hackers or attackers don’t discover them first.
But Malaysia is no stranger to data breaches as it was recently alleged that the data of 22.5 million Malaysians had been leaked at the National Registration Department. While the government reassured the public that the situation was under control, the information leaked included ID information (national identity numbers, full names, genders, dates of birth), addresses, and ID photographs - information that could be used to commit identity fraud.
Data leaks are rife all around Southeast Asia with Surfshark citing large increases in the number of data breaches in Hong Kong and Taiwan in February 2022. The number of breaches in Hong Kong rose by 946% while those in Taiwan were up by 295%. Indonesia placed eighth globally in the list of countries that were most affected by data breaches in the first quarter of 2022.
Security Misconfiguration and Issues due to Compromised Server
The impact of security misconfiguration can be anything from none to exponential. Common effects include:
- Exposure of sensitive information: This does not necessarily have to occur as a result of an attack. Information can sometimes be left unprotected, which leaves it vulnerable to anyone who may come across the server, malicious or not. The information exposed can range from personal information such as contact, identity information, or even financial data.
- Infected Servers: Hackers are constantly looking for weaknesses to exploit and server misconfiguration is exactly that. By injecting code into servers, hackers can gain access to information without being detected, or even disrupt communication or channels across the server. They can gain control over authorized functions that allow them to manipulate the business and potentially jeopardize lines of operation.
- Application security could give attackers access without even attacking. This would give them previously authorized permissions allowing them to reverse-engineer applications and modify code.
- Direct or indirect financial repercussions
Common Causes of Security Misconfiguration
As mentioned before, security misconfiguration can come as a result of several occurrences, however they are all based on human-error. Some of the common causes include:
- Unnecessary features that have not been removed or disabled
- Default accounts and passwords that are still being used
- Error messages revealing too much information
- Old software versions or missed updates
- Upgraded systems that are not properly configured
- Unprotected files & directories that are out in the open
- No proper security audits
- Organizations that have not taken expert consultation and therefore lack sufficient protection or expertise
Recent Security Incidents due to Misconfigured Server
StoreHub’s data leak is only one of hundreds of thousands that occur globally every year. In many cases, even when companies publicize news of their data leaks, it can be difficult to know immediately just how much data has been exposed, and at what level it has been compromised. Furthermore, as we saw before, the issue of undetected misconfigurations brings to surface the potential for breaches to come. This is particularly common in organizations whose cyber security does not have automated and powerful assessment and detection functions such as Sangfor Cyber Command, which browses for vulnerabilities that could be exploited for attacks. The 2021 Verizon Data Breach Report found that miscellaneous errors were responsible for almost 20% of all data breaches, with misconfigurations making up more than half of those errors. A Gartner survey found that misconfigurations cause 80% of all data security breaches. One such large-scale incident that occurred in 2019, was the exposure of NASA employee and project data as a result of an authorization misconfiguration in JIRA which led to the information being published publicly instead of it being sent to corresponding people within the organization. In June 2021, a misconfigured S3 bucket belonging to Turkish beauty brand, Cosmolog Kozmetik, led to thousands of excel spreadsheets containing the details of nearly half a million individuals while Comparitech security researchers discovered over 50,000 patient data records on two publicly available AWS S3 buckets in 2021. The Amazon Web Services S3 buckets were said to have had no password protection or authentication, leaving them exposed.
In Rapid7’s 2022 Cloud Misconfigurations Report they found that Information, Healthcare, and Public Administration were amongst the three most targeted sectors. This is due to these industries dealing with such copious amounts of personal information. Attackers see data as an asset to use for many things including ransomware, and money. “We know that a variety of industries are being targeted, with a particular focus on organizations that store highly sensitive information,” writes Jacob Rundy. However, no industry has been spared with Educational Services, Transportation, and even Arts and Entertainment all making the list.
How to Prevent Server Security Misconfiguration
Misconfigured servers are a very common problem in cyber security because IT Managers and backend developers are less aware of potential security breaches. This is due to the fact that they are often easy to overlook and occur as a result of human error, even as a result of negligence by IT professionals themselves within the organization. With human error being an inevitable slip, awareness becomes the first step to take towards patching up security misconfigurations. This means two things:
- Implementing procedures that encourage employees to keep track of their actions in relation to servers so they can trace their steps and also ensure they have followed protocol to avoid misconfigurations as often as possible, and
- Conducting risk assessments regularly to detect any loops that may have been overlooked.
In conducting risk assessments, organizations are able to diagnose and determine the issue, as well as its source. In Guardicore’s Guide to Understanding and Avoiding Security Misconfiguration, they list an action plan that prioritizes the following steps:
- Diagnosing and Determining the Issue: In order to solve the issue of server misconfiguration, you must know exactly what the source is. Once you are able to trace it, you can put into action the necessary steps needed to configure the server or app.
- Learning about Application Behavior to Mitigate the Risk of Misconfiguration: By having complete visibility of your organization’s servers and applications, you can gain a better understanding of what their standard behavior looks like and you are able to remove and trace any behavior that is foreign or unwanted.
- Deploy Visibility and Smart Policy: This involves identifying your organizations most business-critical and sensitive data, and prioritizing its security. This ensures that in the event of a breach or fault, risk is known and limited, and responses can be dedicated in order of importance.
How to Avoid Security Misconfiguration with Proper Knowledge?
There are many security solutions that can protect an organization against the impact of security misconfiguration, and a good strategy may have various solutions combined. Many companies do not have the internal expertise to fully manage informational or security teams that will implement the measures required all the way from detection to response. This requires a simple but sophisticated detection, defense, and response platform that will run continuously and find threats not only before they happen, but also where you might not have thought to look. Sangfor XDDR is one such solution that works by converging a range of our security products to create one unified solution that goes beyond the standard Extended Detection and Response (XDR) platforms on the market.
Detection of all threats should always be an organization’s first priority. You cannot mitigate a threat you do not know exists. Furthermore, detection opens room for risk management at any stage in the kill chain. Sangfor’s Continuous Threat Detection finds the root cause of the security misconfiguration in order to repair or configure the exposed area. Where necessary, it also limits any infection that may be present.
If you or your organization is interested in consulting security professionals, contact Sangfor and we will put you in touch with one of our experts.