While many organizations focus on their vulnerability management programs to find critical vulnerabilities like the highly-publicized Shellshock, Poodle and Ghost, it’s equally important to validate system build and configuration change management processes, as these activities can also leave your systems and data at risk.
How can system misconfigurations leave you vulnerable?
A good example is last year's data breach at MBIA. MBIA is the largest bond insurer in the USA and was in the news in late 2014 because of a data breach reportedly caused by a misconfigured Oracle Reports database server. This database server, part of mbiaweb.com was misconfigured so that instead of only sending data to authorized administrators, data was made public, picked up by the search engine crawlers and made available to anyone with a web browser. Account information like account numbers and balances was exposed. MBIA shut down the server as soon as it was notified, but because of this misconfiguration, sensitive data was exposed for some time.
There are steps you can take to help ensure your systems and applications are configured appropriately, so you don’t end up in a situation like the example above.
1. First, define a technical standard for your organization to follow. You might choose to follow a well-known industry benchmark like CIS or another best practice, or develop your own best practice.
2. Next, define roles and responsibilities. Ideally, you’ll have an executive champion to sponsor the program for getting a technical standard and stakeholders from teams throughout the organization.
3. Document at what frequency assessments will be performed. More frequent assessments will give you better visibility into whether systems are compliant with your standard.
4. Cite exception procedure for systems that do not comply with the technical standard. There will be systems that you may not be able to configure per your standard for a variety of reasons.
5. Finally, cite the scope (production, pre-production, certain business functions, vendors, etc.).
It’s also important to continually measure how this process is working for your organizations. Set realistic milestones and know that it may take your organization some period of time to meet them.
If you’re interested in learning more about this topic, check out the on-demand recording of the recent Tenable Network Security webcast: Systems Misconfigurations Leave your Data at Risk.