In this podcast recorded at Black Hat USA 2017, Tim White, Director of Product Management, Policy Compliance at Qualys, discusses the importance of security configuration assessment as part of a comprehensive vulnerability management program, and why automating the configuration assessment and reporting of varied IT assets in a continuous manner is important to securing today’s organizations.
Here’s a transcript of the podcast for your convenience.
Hi. I’m Tim White, Director of Product Management at Qualys, and today I’m going to discuss the importance of security configuration assessment as part of a comprehensive vulnerability management program, and why automating the configuration assessment and reporting of varied IT assets in a continuous manner is important to securing today’s organizations.
Vulnerability assessment alone is not sufficient to protect systems from compromise. There’s a variety of different issues that organizations face. Misconfiguration alone is a major source of breaches – there’s an expectation of data protection and due diligence from your customers, your organization and regulatory bodies, both in the US and globally. We continue to see emergence of additional prescriptive requirements and regulations, and the speed of adoption of new technologies and digital transformation continues to drive the importance of risk reduction as we see more and more services being delivered via cloud and a variety of other new technologies.
We’re seeing this emerge in regulations globally as well, because new technology options are outpacing the ability to secure systems and as we see more and more explosion of the use of additional devices, that has a multiplication effect of the total number of misconfigurations that are out there.
NIST looks at vulnerability management in a much broader view than a lot of other people’s view of just VM being the lack of patches or exposure of software programing errors. And if you look at the broader definition of vulnerability management categories from NIST and look at things like not only software flaws but also software feature misuse, where a feature may be designed to deliver a service in a certain way, but by changing the way you leverage the service, you can expose additional confidential information or get access to things beyond the intended protections that are in place. But also software configuration settings fall into this category. There’s a variety of different requirements that need to be implemented in a good security and configuration program to make it more difficult for an attacker to exploit systems within the organization. And VM is a much broader area than just vulnerability assessment under these NIST categories.
If we look at a recent IT policy compliance group study, they found that organizations that are successful in reducing risk exposure collect and leverage configuration data as part of their overall IT security programs. And if you look at some of the things in that study, they pointed out that business risk, that organizations that had effective business risk management were looking at a variety of different configuration areas. Looking at information security controls of logged data, they found that system software configuration data were important as well. But audit control findings and information security test reports were a critical aspect in organizations that delivered or had fewer risk reductions. And only 1 in 8 of these organizations collect, or 32% of the organizations collect less data about configuration and evaluate these against all of their different assets.
The worst performers had significant increases in breaches as a result of that, and that data is mirrored in a variety of different studies; we looked at the 2017 Verizon data breach report and they categorized the most common causes of attack as misdelivery publishing errors, disposal errors and then in the top 5, the 5th item is misconfiguration with 12 other breaches being reported from their statistics over the last year were due to misconfiguration. And if you look at that in the context of the other areas, programming errors or patch errors were only 8 of the items out of the entire list. So the majority of – misconfiguration is a significant area. A quote from that report, looking at Shodan searches show that there are plenty of misconfigured servers in this imperfect world just because configurations are being ignored. And the reason they quote that is that the default settings that come with a lot of the devices, rushed to get things into production, frequently results in significant security weaknesses being left out there.
So, it’s important to treat misconfigurations with the same criticality as software flaws and software feature misuse. Things you need to focus on are excluding or looking at excessive access to critical files, making sure that you’re implementing good, just basic security principles right, the idea of least privilege for example, making sure that you don’t have open shares, over-granting of privileges, etc. And you need to look at your firewall rules and make sure they’re being managed in a secure way, and that they meet minimum security configuration requirements and things like default accounts and weak passwords continue to be an easy way to compromise.
If you look at recent attacks leveraging this configuration, Petya is a good example of an area where attackers are starting to mix the use of vulnerabilities as well as misconfigurations. And for specifically, Petya leverages weak user rights and configuration to spread to other systems. Primarily, the primary attack factor was the same as WannaCry using Shadow Broker’s exploits, but once an attacker got access to a box, they can spread and infect other systems using user’s permissions. If a user had admin rights only over other systems, those systems could then become infected and it’s highly recommended that administrative permissions be restricted for workstation users.
A lot of organizations don’t do this – they use a common misconfiguration where they add the domain admins group, or even worse – the authenticated users group to the local administrator’s group. And that creates the ability for an attacker, if they get access to any single device, with one single user’s credentials, they can then connect and authenticate to other systems that use the same domain shares. So at a minimum, you should implement user account control to prevent the attack to be able to grab or escalate the privilege, to get the ability to install. But ideally you would implement individual, direct access if a specific user needs to be able to administer their box, you would use only that user’s account or you’d require them to elevate using a local account or some other secondary type of credential that they would have to authenticate for so you reduce the risk of spread for these. But this is just one example in today’s world where attackers are starting to leverage and mix their attack methodologies to be the most effective that they can be.
So, configuration assessment challenges today, automation and best practices are key to locking down systems globally and consistently. You have hundreds of security settings to deal with, spot checking – it does not scale. You can’t manually go out and check these devices and make sure you have the appropriate control in place. Golden Images are a great way of making sure you have a good initial configuration, but they suffer from configuration drift. And you still need to go out and reassess the devices beyond your compliant scope, to make sure you have the appropriate controls in place. Because these systems become the weakest link in your organization, and just because you protected your compliance mandated systems doesn’t mean that someone can get access via these ways in spread unilateral method through your organization.
Qualys is here of course to help. We have technologies to help you automate configuration assessment. It’s really critical to be able to scale in your configuration assessment or whatever technology you use needs to be able to collect this data and report on it in a way that helps you prioritize remediation.
Remember, as we do in all of our other areas of mediation, it’s difficult to fix everything at once. So having prioritization is a critical capability that you’ll need, starting out with an inventory of your systems, collecting the information about your environment, identifying which systems are higher risk and lower risk, and then going out and automating the collection of configuration data from those devices. You then need to go and compare that to best practice frameworks, like CIS benchmark to identify where your configuration issues lie and then generate reports to drive the remediation, focusing on the ones that are going to have the biggest impact on risk reduction first.
Qualys is here to help – we’ve introduced our security configuration assessment technology as well as of course our industry-leading policy compliance technology. We have over 120 CIS benchmarks, covering over 4000 controls and over 50 technologies. So breath in assessment is critical – you need to look at all of the devices in your organization, not just the obvious ones in order to do assessments.
Thank you for listening to this podcast today, I hope you’ve learned a little bit about why you need to implement security controls across your environment, not just for mandated systems. If you’re interested in more information about how Qualys can help, please visit the Qualys website for more information on these solutions, to help you with security configuration assessment and policy compliance. Thanks!