OWASP (Open Web Application Security Project) recently released its 2017 version of its Top 10 List – the Ten Most Critical Web Application Security Risks.
As you may know, OWASP is an open community dedicated to enabling organizations to develop, purchase and maintain APIs and applications that can be trusted. In addition to making available free application security tools and publishing standards, OWASP occasionally revises its list of the Top 10 application security risks.
The main purpose of the OWASP Top 10 security risks list is to educate developers, designers, architects, managers and organizations regarding the consequences of the most important web application security weaknesses. The Top 10 list provides basic techniques to protect against these high risk problem areas and also provides guidance how to proceed to minimize these risks.
One of the most important security risks on the updated Top 10 list for 2017 is Security Misconfiguration. Security misconfiguration is very common and can happen at any level of an application stack. If the security settings are misconfigured, threat agents – such as external attackers as well as authorized users – may attempt to compromise the system. The attackers do so by accessing default accounts, unused pages, unpatched flaws, unprotected files and directories and so on, in order to gain unauthorized access to the system.
As a result of security misconfiguration, attackers often gain unauthorized access to system data or functionality. Occasionally, such access results in a complete system compromise. In fact, a business’s system might be completely compromised without the systems administrator’s knowledge. Data could be stolen or modified over time and the recovery costs could be very expensive.
How do I know if my systems are vulnerable to attack due to security misconfiguration?
- Check if any of your software is out of date. This software includes the operating system, web/app server, DBMS, applications, APIs and all components and libraries.
- Check if any unnecessary features are enabled or installed. These features include ports, services, pages, accounts and privileges.
- Check if any default accounts and their passwords are enabled and unchanged.
- Check if your error handling reveals stack traces or other overly informative error messages to users.
- Check if the security settings in your application servers, frameworks, libraries etc. are set to secure values.
How can I prevent attacks due to security misconfiguration?
- Implement an automated, repeatable hardening process.
- Put in place a process for keeping abreast of and deploying all new software updates and patches in a timely manner.
- Maintain a strong application architecture that provides effective, secure separation between components.
- Set up an automated process to verify that configurations and settings are properly configured in all environments.
As the OWASP Top 10 list points out, avoiding security misconfigurations is a critical element in securing your systems. However, implementing server and application hardening in order to prevent security misconfigurations is a major challenge to IT teams.
There are 4 key challenges in implementing a security policy for servers in production:
- CHALLENGE 1: Defining a security policy
- CHALLENGE 2: Implementing the policy to production environments without causing outages
- CHALLENGE 3: Ensuring continuous compliance with the security policy, report on policy violation
- CHALLENGE 4: Implementing a change management procedure and enforcing policies per server role
Let’s now look at each of these challenges in detail:
CHALLENGE 1 – Define the Server Security Policy:
The Server Security Policy is part of the organization’s security policy, which is a business-driven construct that defines how the company plans to protect its information and technology assets. Defining the server policy should take several issues into consideration. First, the external regulatory mandates and industry standards the organization must maintain. Second, internal governance requirements, and finally general best practices that the company adopts.
In order to implement the logical part of the policy, the requirements should be translated into rules that will be applied to the servers. Common benchmarks pay attention to subjects such as: services, registry keys, shares, permissions, processes, files, network settings, system, etc.
CHALLENGE 2 – Enforcing the approved security policy:
Enforcing the security policy is under the responsibility of the operations team in the IT department. At the sysadmin’s level, enforcing the policy on production environments is a labor-intensive task. Securing a system by implementing a hardened configuration is an operational threat to the core business due to potential outages and downtime.
There are many examples where security hardening at the OS and application level can cause outages; we will demonstrate three which are also common attack vectors:
Task Scheduler Jobs – saves password hash of a domain or local user locally on the server. One of the basic hardening recommendations is- “Network security: Do not store LAN Manager hash value on next password change”. If there is an application which is run by a DOMAIN or LOCAL USER, it stores the password hash locally, in that case PTT or PTH attacks can occur. Hardening this value will provide better security, but on the other hand the application will stop running.
LM compatibility level- there are a few authentication methods for servers/apps/AD. Some are old and unsecured, while others are new and secure but their activation will cause a crash to applications which can’t use them.
Basic hardening of services- moving a service from automatic/start to disable/stop is a basic thing for reducing vulnerabilities. There are two problems here: 1) Dependencies – service 1 is dependent on service 2, we want to disable service 2 but in that case we will stop service 1 as well. 2) Servers which make usage of services, for example Citrix uses the print spooler service.
There are native configuration management tools such as GPO, SCCM or different manual methods for deploying a basic security policy, but implementing a broad security policy requires extensive manual work and long hours of testing. Skipping the testing phase for sure will break the daily operation of the system and create outages.
CHALLENGE 3 – Ensuring continuous compliance with the policy:
Maintaining the policy and ensuring servers are properly hardened with the policy is the second step and a highly critical one from a security and compliance perspective. From a compliance point of view, enterprises want to make sure servers are constantly hardened so there won’t be any need to conduct special preparations before audits or extensive remediation work after the auditor left. From a security perspective, today’s advanced attacks have crossed the enterprise perimeter, every unhardened object is a potential attack vector, this is why hardening is critical. Hardened servers which are not monitored in real-time combined with the lack of preventive capabilities enable attackers who gain access to hardened servers to expose the server to vulnerabilities by disabling the policy and utilizing them to attack the system.
CHALLENGE 4 – Implementing a policy change management procedure:
Policy changes should be implemented occasionally. There are two events that should change a server security policy: 1. Change in the server configuration- installation of new applications, software or change in server roles require consideration from a security policy point of view. 2. New versions of benchmarks- both CIS and SCM issue updates to their benchmarks on a quarterly basis. These changes are based on wide vulnerability research, and the fixes to these benchmarks are made in order to block new attack vectors.
CalCom Hardening Solution (CHS) for Microsoft OMS is a server hardening automation solution designed to reduce operational costs and increase the server’s security and compliance posture. Unlike other server hardening solutions, CHS eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on the production services before implementing them. It ensures a resilient, constantly hardened and monitored server environment.
CHS automatically monitors and verifies that your systems comply with your security policies, which reduces your risks of being vulnerable to attacks due to security misconfigurations. In addition, CHS also produces reports that can show your compliance state to your auditors.
For additional information: