By Tim Bandos, Vice President of Cybersecurity at Digital Guardian
Sometimes it’s the little things. In hindsight, more often than not, getting hacked can stem from a minor misstep or completely preventable mistake. Common security mistakes and overlooked misconfigurations can open the door for malware or attackers, potentially leaving your environment and any exposed data ripe for the picking. Avoid these top five configuration gaffes to reduce the threat exposure to your organization.
It almost seems too obvious to include here but leaving default usernames and passwords unconfigured for databases, installations, and devices, by far, is one of the most common and easy items for a hacker to exploit. Leaving default credentials on network devices such as firewalls, routers, or even operating systems, allows adversaries to simply use password checking scanners to walk right in. In more skilled setups, hackers can simply stage a series of scripted attacks geared at brute-forcing devices by focusing on either default usernames and passwords, or basic passwords like “qwerty” or “12345.”
Researches have uncovered a Python-based web scanner, Xwo, that can easily scan the web for exposed web services and default passwords. After collecting default MySQL, MongoDB, Postgre SQL, and Tomcat credentials, the scanner forwards the results back to a command and control server.
Leaving default credentials on any device is akin to leaving your keys in a locked door. Even a 12-year-old with some internet access at home could majorly breach a corporation just by using one of these freely available tools on the internet to check for default credentials.
Having strong and complex passwords isn’t the only action that needs to be taken when securing your environment. Oftentimes, I see environments that’ll leverage the same user account and password across every device in a fleet of endpoints. Sure, to an IT administrator this may be convenient, but it’s not necessary and can grant an attacker the ability to pivot across every machine, even if only one of those computers has been breached. From there, attackers can leverage credential dumping programs to get their hands on the passwords or even the hashes themselves and then it’s open season. Avoid password reuse at all costs and disable any accounts that are not required.
Exposed Remote Desktop Services and Default Ports
Any externally facing device that’s connected to the internet should have layers upon layers of protection to combat attempts to gain access, like a brute force attack. Services like Remote Desktop Protocol, or RDP, a proprietary protocol developed by Microsoft, can provide administrators an interface to control computers remotely. Increasingly, cybercriminals have taken to leveraging this exposed protocol when it’s not configured properly.
Administrators should leverage a combination of strong/complex passwords, firewalls, and access control lists in order to reduce the likelihood of a compromise.
Delayed Software Patching
This, like leaving default credentials on a server or system, may seem like another potential no-brainer. It’s worth pointing out that keeping operating systems up to date and patched appropriately can prove significantly effective at preventing a breach, however. While there are numerous exploits and vulnerabilities found daily ─ and yes it can be difficult to keep up ─ if administrators aren’t properly maintaining their patch levels, then it’s game over. Ironically, of the breaches I’ve worked on where the attacker’s gotten in via a vulnerability, the majority of them have been a vulnerability that was ridiculously old. It shouldn’t come as a surprise ─ attackers will continue exploiting old bugs as long as they’re effective. There’s hype around detecting and preventing zero-days, but the most common vulnerabilities that are exploited can be classified as a fossil.
Logging Turned Off
Disabled logging doesn’t necessarily allow an attacker to get into a system, but it does allow them to act like a ghost while they’re in there. Once in, hackers can move laterally through a network in search of data or assets to exfiltrate. Without logging, they can do all this while leaving zero tracks behind.
This creates a true ‘needle in a haystack’ scenario for incident responders and forensic analysts and makes their job that much harder when trying to reconstruct what may have happened during an incident or intrusion.
Enabling logging and having it sent to a centralized location, like a security information and event management (SIEM) platform is highly recommended. That data will provide the breadcrumbs needed by forensic analysts during an incident response investigation to reconstruct the attack and scope the intrusion. Additionally, it can prove highly useful when it comes to responding to threats that may have triggered an alert from an event in the collection of said logs.
Having appropriate security configurations requires your applications, servers, and databases, to be hardened in accordance with best practices. Leaving these devices or platforms in a default state only makes the job of an attacker that much easier. It may not happen right away but they’ll discover these misconfigurations at some point, gain unauthorized access ─ and depending on their intent ─ steal sensitive data or cause damage.
Avoid becoming an easy target and follow these precautionary steps to protect yourself and your data.
About the author
Tim Bandos is Vice President of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.