Misconfigurations are a growing cybersecurity concern. The prevalence of this issue varies according to the source -- and the resulting catastrophes. Some attribute up to 80% of ransomware attacks to configuration errors. Ransomware attacks are among the most prevalent forms of cyber risk.

And a 2020 Ermetic survey found that some 67% of cloud breaches were due to misconfiguration. Yet a recent report by Tenable suggests misconfigurations are to blame for only 5% of data breaches. The company based its conclusions on 1,300 publicly available reports, but declined to share the data set.

These disparities are likely due to differing parameters and definitions. Ransomware attacks and data breaches are different, but overlapping, phenomena. And not all of them occur in the cloud. Still, the takeaway remains the same: Misconfigurations represent a significant risk to nearly every organization.

The solutions to this problem are unclear. Responsibility lies with both the developers of the products and their end users. InformationWeek recently discussed the problem with Scott Caveza, senior research manager at Tenable.

Proper Configuration Matters

NIST defines a misconfiguration as “an incorrect or suboptimal configuration of an information system or system component that may lead to vulnerabilities.”

These vulnerabilities have afflicted users of some of the world’s most prominent IT providers.

Scott Caveza, Tenable

In 2019, a misconfiguration in the firewall of Amazon Web Services Inc.’s S3 cloud storage led to the theft of data from some 100 million Capital One credit card applicants.Capital One ultimately assumed the blame for the vulnerability. In August 2021, a misconfiguration in the settings of Microsoft’s Power Apps led to the exposure of some 38 million records.

Tenable’s report indicates that around 800 million records were exposed due to misconfiguration in 2022 alone.

“That could be usernames, passwords, personal identifiable information (PII),” Caveza says. The data is patchy, though. “There are so few sources that will provide detailed information, including the affected parties themselves,” he notes.

These errors, wherever and however they occur, are hugely consequential to consumers, who in most cases are likely unaware that their data passes through these flawed systems.

The Cost of Configuration Missteps

“Misconfigurations are most evident in cloud environments,” Caveza claims. “The technology behind migrating data to cloud environments is still new and emerging. Despite Amazon Web Services and all the others having really great, detailed information about how to configure and secure these things, some of those steps are not being taken.”

Misconfigurations are almost certainly the most common vulnerability in cloud environments. A 2020 National Security Agency report emphasizes this finding.

It stated: “While CSPs often provide tools to help manage cloud configuration, misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services. Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise.”

Misconfigurations occur in applications, browsers, networks, operating systems, and servers as well.

Why Misconfigurations Occur

As the NSA observes, it is difficult to pinpoint the blame for these misconfigurations. While sometimes they are inherent to the product, in many cases, the user bears the bulk of the responsibility. Assuming that these systems are plug-and-play, organizations often ignore the security configuration recommendations that accompany their purchase. Every environment has different security requirements and retaining default settings often creates vulnerabilities.

“[These companies] are trying to make something very open and accessible. They put the onus on the customer to choose what configuration settings are going to be best for them,” Caveza relates.

“No one's taking the time to review the resources and model them and figure out what design and what configurations and what security settings are going to best fit their use case,” he adds. ”When someone gets a new car, do they read the manual? No. You just get in and go. That’s the same situation we see here. We’re not taking the time to go through and determine what it is we need to change in the defaults and what risk the defaults present.”

Tenable’s report indicates that human error is likely the most significant problem. Organizations fail to adequately examine their containers and deployment scripts, leaving themselves vulnerable to attack. Configurations are altered during testing procedures and the alterations are not reverted to their optimal settings. And new equipment is not appropriately calibrated to the organization’s security requirements.

How to Prevent Misconfigurations

Many misconfiguration errors are preventable through very simple procedural and organizational adjustments.

“You have to design from the bottom up and look at it on a very holistic level,” Caveza suggests. “I think organizations are saying, ‘Let's just start using it today,’ instead of taking a step back and asking, ‘What are we trying to do with this service? What kind of data is going to be there? How are we going to make sure that it's not accessible to everyone on the internet, everyone in our organization?’”

Before migrating sensitive data to these platforms, organizations need to take a hard look at the configuration tools they offer and how they need to optimize for protection. Ideally, they should aim to develop a set of internal standards that are applied to all services. And if those standards conflict with the capabilities of a potential service, they should consider other options.

External standards can offer useful guidance. The Payment Card Industry Data Security Standard (PCI-DSS) provides useful principles to ensure systems are properly configured to protect credit card data, for example.

“It's a learning curve,” says Caveza. “There are so many resources out there, including from the vendors themselves, on best practices.”

What to Read Next:

Southwest Airlines' Latest Tech Woes Point to Firewall Failure

Is Your Business Prepared to Operate After a Ransomware Attack?

LAUSD Ransomware Attack: Understanding Cybersecurity Risks in Education