OWASP Top 10 Part 6: Security Misconfiguration
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP Top 10, number 6: Security misconfiguration.
00:00
In this lesson, we're talking about the risks and
00:00
impacts of security misconfiguration.
00:00
Then we're going to go into some of the techniques
00:00
to address security misconfiguration.
00:00
What is a security misconfiguration?
00:00
Well, it really can be a number of different things.
00:00
If there are various ports
00:00
or services that are left open,
00:00
if the permissions are
00:00
improperly configured within the application.
00:00
If you leave default counts or passwords on a system,
00:00
those all could be
00:00
construed as security misconfigurations.
00:00
Also, if you're not really
00:00
keeping your system up to date,
00:00
when known bone bills and patches are out there,
00:00
adversaries and attackers will continue to attempt
00:00
to exploit flaws that are out there with your system.
00:00
One of the main issues that results
00:00
in security misconfiguration is lack of hardening.
00:00
Basically anytime any application's being developed,
00:00
its libraries, its services
00:00
from the front end to the back end.
00:00
All of those elements really
00:00
need to be securely configured so
00:00
that there are no unnecessary services running on there,
00:00
that they are being patched and kept up to date.
00:00
This is really called reducing
00:00
the overall attack surface,
00:00
meaning the available area
00:00
that the attacker can even peruse,
00:00
try to exploit it.
00:00
When there are misconfigurations,
00:00
this can enable an attacker to gain
00:00
unauthorized access or gain
00:00
knowledge of the system that they can use to
00:00
identify future vulnerabilities to continue their attack.
00:00
The best prevention for
00:00
security misconfiguration is effective system hardening,
00:00
just removing anything that's not
00:00
truly necessary for the performance of the application.
00:00
Then making sure that you're patching
00:00
at an appropriate cadence to address vulnerabilities.
00:00
One note I'll say is that expectations related to
00:00
patching cadence have gone up significantly.
00:00
There is a massive vulnerability
00:00
related to Microsoft Exchange Server.
00:00
Microsoft waited three months
00:00
to provide a patch for that,
00:00
which may have been exceptional in the past.
00:00
However, some 80,000,
00:00
[LAUGHTER] I exchange servers
00:00
were compromised in the meantime
00:00
before that patch came out.
00:00
That just shows like the expectations and how
00:00
quickly vulnerabilities are exploited
00:00
in the wild has gone up significantly.
00:00
Make sure you patch your system quickly.
00:00
Then also train employees regarding how
00:00
to securely configure applications,
00:00
make sure that they are
00:00
reviewing any changes that they make
00:00
afterwards to ensure that things aren't left
00:00
unpatched or that default accounts
00:00
are left on the system.
00:00
Quiz question. Addressing security misconfigurations
00:00
by removing default accounts,
00:00
passwords, and services
00:00
also reduce which of the following?
00:00
One, the hypervisor, two,
00:00
Cloud costs or three, the attack surface?
00:00
If you said the attack surface, you're correct.
00:00
Basically, we want to remove
00:00
any thing that could potentially have
00:00
vulnerabilities on it in
00:00
order to make the attacker's job more difficult.
00:00
In summary, we talked about security misconfigurations.
00:00
We talked about the potential exploit or
00:00
the impact of the security misconfigurations,
00:00
unauthorized access, and then also just providing
00:00
more reconnaissance for the attacker
00:00
to perpetuate future attacks.
00:00
Then we talked about the methods
00:00
>> to address this exploit,
00:00
>> namely training,
00:00
effective patching, and system hardening.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
