18 October 2022SafeAeon Inc.
Misconfiguration means when there is an error in system configuration. Let’s consider if the setup pages are enabled or if an end-user still operates through default usernames and passwords. These practices can lead to breaches. If the setup server configuration is not disabled, the hacker can determine hidden flaws, providing them with extra information. Misconfigured devices and apps are easy targets for attackers to use as an entry point to exploit.
6 Common Cloud Misconfigurations and Their Solutions.
Unrestricted Inbound Ports: The best way to ensure that you're not open to malicious attacks is to carefully consider which ports you need to open to the internet, and then only open those. When in doubt, keep all ports closed. Cloud services mostly use high-number UDP or TCP ports to prevent exposure to risks, But all ports open to the internet is susceptible to attacks.
- When migrating to a multi-cloud environment, make sure you know the full range of open ports and then restrict or lock down those that aren't strictly necessary.
Unrestricted Outbound Ports: These ports create opportunities for security events like data exfiltration, lateral movement, and internal network scans once there's a system compromise. Granting outbound access to RDP or SSH is a common cloud misconfiguration. Application servers seldom have to SSH to other network servers, so it's unnecessary to use open outbound ports for SSH.
- One solution for this is by maintaining an inventory of all company secrets in the cloud and regularly evaluating how they're secured. Otherwise, threat actors could easily breach your systems, access your data, and overrun your cloud resources to effect irreversible damage.
Insecure Automated Backups: Insider threats to cloud environment are an ever-present cybersecurity risk. According to McAfee, about 92% of business organizations have their workers' credentials being sold on the darknet. Insider threats can be particularly damaging when automated cloud data backup is not appropriately secured.
- Even after protecting your master data, poorly configured backups will likely still remain vulnerable and exposed to insider threats. When dealing with the cloud, Always ensure that backups are encrypted at all times.
Lack of Validation: This is a meta-issue cloud configuration error: most organizations fail to implement a process for identifying misconfigurations whenever they occur. It's important to have someone verify that permissions and services are correctly configured and deployed.
- One way to check this is to create a system that ensures validation occurs like clockwork since mistakes are inevitable and a rigorous process of periodically auditing cloud configurations. Otherwise, you may be leaving a security loophole that cybercriminals can exploit.
Subdomain Hijacking (AKA Dangling DNS): A common cause of this type of cyberattack is when an organization deletes a subdomain from its virtual host (e.g. Azure, AWS, Github, etc.) but forgets to delete associated records from the Domain Name System (DNS). Once the attacker discovers the unused subdomain, they can re-register it via the hosting platform and route users to their own malicious web pages.
- To avoid subdomain hijacking, organizations should always remember to delete DNS records for all domains and subdomains that are no longer in use.
Overly Permissive Access to Virtual Machines, Containers, and Hosts: Without a firewall or filter protection, would you connect a virtual or physical server in your data center directly to the internet? You probably wouldn't, but people do this in their cloud infrastructures.
Some of the most common examples include:
- Enabling legacy protocols and ports like FTP on cloud hosts
- Legacy protocols and ports like rexec, rsh, and telnet in physical serves that have been made virtual and moved to the cloud
- Exposing etcd (port 2379) for Kubernetes clusters to the public internet
- To avoid this cloud configuration mistake, Secure important ports by disabling or locking down insecure protocols in your cloud environment just as you would treat your on-premise data center.
What to do to avoid this type of cyber-attack:
Leverage automation whenever possible and put protocols and infrastructure in place that tighten your configuration process even further. The threat of incorrectly configured devices throughout your network is revealed by monitoring application and device settings and comparing them to advised best practices.
At SafeAeon, Data from cloud services are processed by our SOC, which leverages Hybrid AI to detect and respond to advanced attacks with 10X better accuracy and minimize the impact on your business. Reach out to Us today.