Misconfiguration Vulnerabilities

By Michael Adjei (MSc.), Security Trainer & Senior Security Engineer at Nuvias Cyber Security. Computer networks are more important today than they have ever been. So much of business...

By Michael Adjei (MSc.), Security Trainer & Senior Security Engineer at Nuvias Cyber Security.

Computer networks are more important today than they have ever been. So much of business continuity involves the smooth running of supporting IT systems. For Network managers, there appears to be an endless availability of IT Security vendors with an even larger supply of security tools available for deployment across their networks; protections such as Firewalls, IPS, Web & Content Filtering, CASB, UEBA VPN, Vulnerability & Patch Management among others.

Also, from Endpoint Security protections to complex Security Intelligence & Analytics solutions to Cloud-based solutions, security administrators and managers will in no doubt be overwhelmed with highly sophisticated and sometimes expensive set of security kit. This can leave networks vulnerable and susceptible to attack if these systems are misconfigured or not configured according to best practice.

Looking back at my first paper in this series, “Where do vulnerabilities come from? A look at inherent vulnerabilities” we can generally categorise system vulnerabilities into these two types:

  1. Code: an inherent issue in the code or system (source: vendor)
  2. Configuration: a misconfiguration or not following best practice (source: end-user)

As far as end-user side vulnerabilities are concerned (in contrast to vendor side), there are the obvious technical issues but also equally important although often overlooked, are non-technical issues. By “End-user”, the focus is on the managers and network administrators who have direct oversight for the network and security systems and not every day users.

Technical End-User Vulnerabilities

  • Skills shortage – limited technical and administrative security knowledge
  • Inadequate security protections (either not properly enabled or not present)
  • Overly large and complex rule sets across multiple systems (often inherited)
  • Asset Tracking and Shadow IT visibility limitations (lack of systems & data classification)
  • Outdated and out of support software (Patch Management) and hardware systems

Non-Technical End-user Vulnerabilities

  • Change control constraints (where necessary changes take too long to implement)
  • Inadequate documentation (on systems access, support & renewals, key contacts)
  • Outdated Corporate Security Policy (without Incident Response, BYOD and Shadow IT)
  • Budget Constraints (which can also lead on to staff shortages and work overload)

It is safe to assume that most of the current crop of system administrators would have inherited their current network setup which also often includes outdated documentation or no documentation at all. This lack of information will make it harder to keep the bad operators out in the future. Then there is the issue of working knowledge.

The Global Information Security Workforce Study 2017 reports that there is a significant security skills shortage globally. With the current trend, this is only set to increase which undoubtedly is a major cause for concern.

Any organisation with the best technologies in place but without the properly trained staff to configure and maintain them will leave the organisation as vulnerable as though an inherent flaw existed in the technology itself. There is also the unending race of trying to keep on top of the latest occurrences in the security world leading to a situation of information overload.  In some cases, existing tools and protections could have prevented a breach or data leakage that later occurs in the organisation had they been properly implemented.

There is hope for the future with the gradual adoption and developments in Software Defined Networking (SDN), Artificial Intelligence (AI) and as Machine Learning capabilities also progress, more and more mundane tasks associated with most of the current breed of security systems should be easily automated and orchestrated. AI should be able to facilitate security systems that will have the ability to automatically make defensive and pre-emptive policy changes to keep security policies up to date and adapt to new threats.

In the meantime, IT Security managers, CISOs and other decision makers need to take the right steps to address issues of skills shortage. They need to upgrade the skill levels of existing network and security staff to enable them to better utilise the existing security protections available to the organisation.

A subsequent added advantage will then be their ability to make informed decisions where enhancements or new technologies are required. Alongside skills upgrade, asset tracking and inventory (with a focus on systems and data classification) should also be a priority to further enable the application of expertise in a tactical and efficient way. Cyber Security is a journey and travellers need to be properly and fully equipped at different crucial points along this not so innocuous journey.

In this article

Join the Conversation