Beware misconfiguration errors: Little slip-ups can have huge consequences
Sometimes it’s the little things that trip you up.
In cybersecurity, that might not be the lack of the latest security technologies that cause a data breach but, instead, a simple misconfiguration in a software system or cloud services. And cybersecurity experts are noticing more instances of misconfiguration problems enabling hackers to break into organizations.
“If there is a small loophole or an error in security systems, such as the use of default settings or unhardened security, it can potentially provide access to an unrecognized third party. This loophole in the system is called a misconfiguration error,” said Madhuri Tekchandani, assistant manager, healthcare, at research firm MarketsandMarkets.
[Register Now: Upcoming HIMSS Healthcare Security Forum]
Misconfiguration errors can inadvertently provide unfettered access to unauthorized parties.
Making matters even more complex, hackers have made a practice of reverse-engineering software to pinpoint vulnerabilities. This may involve simple scripts for reconnaissance or the purchase of readily available exploit kits on the Dark Web.
“Simple misconfiguration errors can have potentially devastating effects,” said Varun Badhwar, CEO and co-founder of RedLock, a cloud infrastructure security and cybersecurity company.
[Also: Bug bounties: Crowdsourcing hackers to strengthen cybersecurity]
The little mishaps, in fact, can exposed sensitive data such as passwords, personally identifiable information, sales compensation data and other types of information that could damage individuals as well as a hospital’s reputation.
Badhwar pointed to recent data leaks at companies such as Deep Root Analytics, WWE and Booz Allen Hamilton as demonstrating that such data leaks are becoming all too common today. And in healthcare, the security configuration of a system plays a vital role in safeguarding data. In this regard, issues such as low security settings, using default usernames and passwords, or poor patch management can result in data misconfiguration.
Healthcare security and IT teams can take steps to combat misconfiguration errors of various types.
[Also: Ransomware 2.0: It's coming, and healthcare needs to get prepared]
“Hospitals must consider automating configuration monitoring,” Badhwar explained. “The beauty of cloud applications and infrastructure is that changes can take place rapidly, which helps with innovation. However, at the same time, it can be detrimental if the changes are due to errors.”
In the case of a recent Google Groups misconfiguration that RedLock discovered, for instance, hundreds of organizations had accidentally configured their groups sharing setting to allow the public to view the private messages within their forums.
Misconfiguration most often occurs during the process of changes to security. For example, the stage when new rules are added to a firewall, or the existing rules are being changed or replaced, provides a window of opportunity for a hacker to take advantage of any possible vulnerability.
“To make sure that there is no flaw left, it is essential to keep a check on every step of the security change process,” Tekchandani said. “Thorough testing and verification must be conducted to minimize the risk of errors and misconfigurations.”
It is necessary for the administrator to collaborate with the system developer to ensure the entire application stack is configured appropriately, Tekchandani added.
Though it is easy to exploit vulnerabilities, there are numerous ways to prevent this, including updating software on a regular basis, stopping the use of default accounts, changing security passwords at frequent intervals, and designing a strong system that will help segregate required information and encrypt the sensitive information.
“The troubling fact is that we’ll most likely continue to see these types of incidents at increasing rates in the near future,” Badhwar said.
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
