#HowTo Avoid Common Configuration Sins

For attackers, the ideal environments to attack are those that require as little effort as possible to breach. When those opportunities can come from poorly or misconfigured systems, an environment and its data can be left completely vulnerable. 

The dangers of default credentials 
One of the most common, yet most obvious mistakes is to leave default usernames and passwords unconfigured for databases, installations, and devices. It’s such a basic issue that it can be likened to leaving keys in a locked door, and when it happens, default credentials are among the easiest configuration mistakes to exploit.

Password checking scanners can allow attackers to access key network devices, such as firewalls and routers. Even operating systems can be left exposed by default credentials. Scripted brute force attacks can also provide access to devices by focusing on either default usernames and passwords, or basic options such as or "12345", "qwerty" or “password”.

The process is also, to an extent, being automated. Researchers recently uncovered a Python-based web scanner named Xwo, that can easily scan the web for exposed web services and default passwords. After collecting default MySQL, MongoDB, Postgre SQL, and Tomcat credentials, the scanner forwards the results to a command and control server for further action.

Delay software patching at your peril
This has been a basic security message pushed by technology providers and security specialists alike for years. The reason they do it is because it works, and keeping operating systems up to date and patched can have a significant impact in preventing a breach. 

Granted, it can be difficult to keep up with the pace of patching – things can change on a daily basis, and the challenge increases as environments become more complex. But if administrators aren’t properly maintaining patch levels, then they’re presiding over an accident waiting to happen.

Attackers will continue exploiting old bugs as long as they’re effective. While there is justifiable attention on detecting and preventing zero-day vulnerabilities, the most common vulnerabilities exploited are, by comparison, from the digital stone age.

Password reuse is also convenient for attackers
While strong and complex passwords are a pre-requisite of basic security strategy, even when they are in place, they are often used incorrectly. It’s far from unusual for environments to leverage the same user account and password across every device in a fleet of endpoints.

One of the main reasons this still happens is that it makes for convenient administration, but the huge downside is that it’s also convenient for attackers and can give them the ability to pivot across every machine, even if only one of them has been breached. From there, they can leverage credential dumping programs to reveal the passwords or even the hashes themselves and then the problems really begin.

The vulnerability of remote desktop services and default ports 
Any device that is externally-facing and connected to the internet should be particularly well protected. Services like Remote Desktop Protocol (RDP), a proprietary protocol developed by Microsoft, can provide administrators with an interface to control computers remotely. But, when it’s not configured properly, cyber-criminals will attempt to leverage it to try and access systems.

For example, ransomware such as CrySiS and SamSam have been used to target businesses through open RDP ports, both by brute force and dictionary-style attacks. Administrators should employ a combination of strong/complex passwords, firewalls, and access control lists to reduce the likelihood of a compromise.

Turning off logging – the ghost in the machine
While disabling logging doesn’t necessarily allow an attacker access to a system, it does enable them to act unseen while they are there. When logging is turned off, attackers can move laterally through a network in search of data or assets to exploit, and do so without leaving a trace of their activity.

This makes the job of forensic analysts and incident responders much harder when they need to reconstruct what may have happened during an incident or intrusion. In contrast, enabling logging and having data sent to a centralized location, like a security information and event management (SIEM) platform, can be very beneficial. That data will provide the clues needed by forensic analysts during an investigation to reconstruct the attack and understand the scope of the intrusion.

Any devices or platforms left in a default or mis-configured state only makes the job of an attacker that much easier.

While these vulnerabilities may not result in problems right away, attackers are likely to uncover them at some point and gain unauthorized access. Having appropriate security configurations in place that protect applications, servers, and databases, can help businesses safeguard their data and make sure they avoid becoming an easy target.

What’s Hot on Infosecurity Magazine?