The unseen COVID-19 ripple effect: Security misconfiguration risk

May 7, 2020
If eliminating misconfiguration risk is the question, automation is the answer

In the best of times, security misconfigurations represented the greatest risk to security, compliance, and system uptime. IBM revealed a 424 percent increase in data breaches due to cloud misconfigurations caused by human error in 2018, and now managing your firewall or cloud security group configurations is even more vital. COVID-19 has brought these risks into stark relief, as IT teams struggle to keep up with massive network change and accelerated cloud adoption associated with remote work.

The story goes something like this: IT must adapt quickly to ensure access to critical systems and business continuity. Overtaxed engineers and security personnel move fast to expand VPN infrastructure and change permissions to allow access. Speed winds up taking precedence over best practices, the recipe for human error and the greatest enemy of security. This ultimately leaves businesses with compliance violations, breach avenues, and unplanned outages.

While businesses adapt to the changing environment and fast-paced digital-first transformations, security teams should be most worried about human-introduced misconfigurations.

Result of Human Reliance: Misconfiguration Outcomes

Here are some staggering statistics found by Gartner. Through 2025, 99 percent of all cloud security failures will be the customer’s fault and 99 percent of all firewall breaches through 2023 will be due to firewall misconfigurations, not flaws. So, while security analysts and engineers are still being charged to spend most of their time worrying about vulnerabilities, human error is actually our greatest threat. This is especially amplified with the increasing speed of business driven by digital transformation and cloud adoption. COVID-19 has only served to accelerate these risks. With cyber-attacks skyrocketing, these criminals are targeting newly and often rapidly deployed remote access and teleworking infrastructure.

In addition, businesses are facing compliance violations, unplanned outages, and unexpected breach avenues, all caused by simple firewall policy and cloud security group misconfigurations, which open the door for cybercriminals. Some of the most common mistakes include overly permissive access, opening ports to known vulnerable hosts, creating access that bypasses egress filters (i.e. proxy/CASB), and unplanned EC2/VM exposure. These misconfigurations and their outcomes are not new and have enough significance to cause major damage.

To understand breach risk due to misconfiguration, let’s dig into how cybercriminals take advantage of human error and mistakes in security policy configurations to ultimately launch attacks.

In a typical seven-step attack chain, there are usually three areas where security policy misconfigurations are often exploited, allowing the attack chain to proceed: Enumeration, Delivery and Command, and Control. The first area and first stage of the cyber kill chain is reconnaissance and active information gathering. An example of active information gathering and reconnaissance is Enumeration, where the attacker scans and probes open ports to uncover vulnerabilities to target the system. 

The second area where policy misconfigurations are exploited, and third in the attack chain, is the Delivery phase. This is where the weaponized bundles of cybercriminals get deployed via email, web, TCP/UDP, etc. Lastly, you have the sixth step in the chain: Command & Control (C&C). The C&C channel, which is typically a different channel then originally probed, is used to remotely execute and manage the cybercriminals’ attack plan. Firewall/NSG policy is the foundation of IT security and the first line of defense. Given the amount of change happening in this unprecedented remote work shift, one mistyped object in a rule that allows access to something that was not intended to be publicly accessible and it is game over. Understanding the attack chain is vital to helping businesses construct proper, layered defense systems. It only takes one point of mitigation to break the chain and stop the attack.

Lack of Automation and Manual Processes Crush Agility

Now more than ever, we are facing the reality our digital transformation is growing at a rate outpacing security personnel’s ability to keep up with increasingly complex networks. Businesses are suffering from a widespread shortage of security personnel, making it impossible to keep up with technology transformations and evolving cloud networks. According to FireMon’s recent State of Hybrid Cloud Security Report surveying over 500 security professionals across various industries, 78 percent of organizations spend less than 25 percent on security and 69 percent of security teams consider themselves understaffed. With small budgets causing inadequate training and security teams experiencing lack of sleep due to late-night change windows, policy complexity (the misconfiguration breeding ground) is getting out of hand.

Security issues caused by shrinking budgets and skilled workforce shortages are heightened with the fact that most enterprises still rely on outdated manual processes to secure their networks. FireMon’s State of the Firewall Report, showing the impact the hybrid cloud is having on firewall security in 2019, found 73 percent of respondents are using mostly manual error-prone processes in their hybrid environment. Thirty-five percent of that group doesn’t use any automation at all.

Lack of automation and reliance on humans is further complicating the problem by increasing misconfigurations for cybercriminals to exploit, and misconfigurations and data breaches will only spike with a dispersed and reduced security workforce because of COVID-19. Using automated tools can be the solution to support overworked and understaffed security teams to maximize resources and help stem the tide of data breaches as businesses determine how to do more with less.

A Call to Action: Start Preparing Now to Come Out Stronger After the Storm

We’re still in the midst of the COVID-19 storm, but before long the clouds will part, and businesses will land on a new normal. When this day comes, how do we come out stronger, more agile, and more secure?

If eliminating misconfiguration risk is the question, automation is the answer.

Security automation enables agility, eliminates the guesswork and manual input during change processes, and removes friction between DevOps and SecOps. It also dramatically reduces costs and risks, allowing organizations to do more with less.

While the fog continues to loom, forward-thinking security teams already have their eyes on a more agile, flexible future. They are staring down the misconfiguration enemy and they are looking to automation to crush it.

About the Author: Jeff Styles is the VP of Global Field Engineering at FireMon. Styles leads the global team of sales engineers. Working alongside key groups with FireMon, Jeff ensures technical win achievement and real-time strategic field intelligence. With more than 20 years of experience in perimeter cybersecurity, firewall engineering, and penetration testing, Jeff has held a series of security leadership posts in high-growth startups and large-scale Fortune 100 companies.