In this podcast recorded at RSA Conference 2018, Tim White, Director of Product Management, Policy Compliance at Qualys, discusses how expanding vulnerability and risk management programs can eliminate security misconfigurations. Many don’t realize misconfigurations can be exploited just as easily as a vulnerable piece of software to result in compromise.
Here’s a transcript of the podcast for your convenience.
Hi, my name is Tim White with Qualys. I am the Director of Product Management for compliance products. And today I am going to talk about expanding your vulnerability and risk management programs to eliminate security misconfigurations.
A lot of organizations focus a lot of energy on vulnerability mitigation; patching and those are extremely important aspects of information security. However, a lot of times misconfigurations are a source of vulnerability or often overlooked. Misclassified software, misconfigurations, as a portion of vulnerability and risk management requirements. And for a good reason, there is expectation of all organizations to implement good data protection and due diligence around preventing breaches.
As we have seen with a lot of recent activity over the past year, misconfigurations can be exploited just as easily as a vulnerable piece of software to result in compromise, and combining a mixed approach of vulnerability exploits and configuration exploits such as in cases like Petya where we saw the use of elevated account privileges to gain access to other systems, can be a significant source of risk exposure for organizations.
We also see regular trends increasing the prescriptive requirements, to expand the breath of the requirements to cover sections of the environment that may not necessarily touch regulated data, and the reason we are seeing that is that the attack surface is so large in today’s organizations that failure to implement the appropriate security controls in those sections in the environment is increasing risk to the regulated or protected portions of the environment.
We expect to see, with the adoption of GDPR preparedness as well as broadening regional requirements that I talked about in my previous podcasts, that those will continue to drive more requirements across a broader scope of the organization. Especially with the adoption of new technologies, DevSecOps processes for example, as well as the migration of technology into the cloud, and we see more frequent updates to code, more automation, and with that comes potential for misconfiguration in configuration drift.
Configuration assessment is a significant requirement for organizations that want to reduce their risk exposure. And we have seen time and time again in a variety of different studies from the DBIR to IT policy compliance group, and so forth that means misconfiguration is a top source of exposure that remains in the top 5 areas that are commonly exploited.
Some common misconfigurations that organizations might look at are things like failure to implement UAC or excessive rights. The Petya example, a lot of organizations use the authenticated users into their local admin groups on their laptops so that they can install software, and remove software, and fix things when they are out on the road. And while that makes life convenient, it also gives those users access to peer machines and anything that a user has access to if their system is compromised the attacker is going to have access to.
So, it is a use of excessive rights, failure to ensure access to critical files, blocking access to logs, firewall rules. And then also you know of course default accounts and weak passwords remain – critical misconfiguration areas that we need to focus on.
Periodic assessments – a lot of organizations will think that they use a golden image, that system doesn’t require to be reassessed. Because it left the IT in a secure state. Or if you are getting your users admin rights you certainly can’t rely on the fact that it is not going to change. Even if you have fairly stringent controls on the account, there could still be configuration drifting with hundreds of security settings in extremely dynamic and complex IT environments spot checking those systems just doesn’t scale. All types of this different approache will inherently end up with configuration drift, and so assessing those on a more frequent basis is really critical. Making a move towards continuous configuration assessment, continuous compliance is key to preventing these kinds of issues from becoming a significant risk exposure to your organization. The old adage “a stitch in time saves nine”, certainly applies when we are looking at configuration assessment.
Today there is definitely a lot that you need to do, automating configuration assessment is the key to being able to getting a scope of what your misconfigurations are. You don’t have to remediate every misconfiguration. Start with something like CIS benchmark, start a Level 1 profile or even a subset of the Level 1 profile. Docus on controls that are going to have a big impact on risk reduction. There are things like weak account settings, password requirements, and minimum password age – basic things that you may neglect in your desktop environment or your non-critical server environments.
Focus on remediating those issues first, implementing the appropriate controls and whatever your user management system is, make sure you are using the appropriate controls in Active Directory to force settings down to the desktop. Implement good security best practices like least privilege, do not give your users admin rights or at least turn on UAC so that they have to at least interact with the system before their administrative privileges are on leverage. And then look at configuration assessment as a methodology for validating if those settings are working in the environment.
Qualys provides Security Configuration Assessment that provides a lightweight add-on that you can easily use to examine your vulnerability in risk management program, to include configuration assessment with an extremely broad coverage of a lot of operating systems. A significant set of controls are pre-configured for you to match the CIS benchmarks, that can be used to remotely scan or gather the data in real time via the Qualys agent, to automate your continuous security configuration assessment program.
Thanks for listening today and we look forward to talking to you again in another podcast in the future.