Endpoint configurations are essential to good security. That’s always been the case, but it rings even truer with each passing year. In some ways, endpoint configurations are your first line of defense. In other cases, they’re your last line. In all cases though, they’re critical. And yet they’re often overlooked and under-attended. More often than not, the consequences are harsh.
More than 70% of organizations maintain major misconfigurations that put them in a persistent state of risk. A fact that bad actors parlay into some 2,500 successful configuration-rooted ransomware attacks every year.
Those statistics are scary, but they’re certainly not surprising. At GYTPOL we like to say that insecurity anywhere is tantamount to insecurity everywhere. Which is why we focus on the configuration layer and its potential to dramatically improve hygiene across the entire organization.
Even with the most robust hardware and security protocols, a single misstep in configuration can open the floodgates to cybercriminals seeking to exploit weaknesses. Thankfully, risks do tend to concentrate in certain places, making it a lot easier for organizations serious about their security posture to focus and improve. We’ve identified two of the most common and most critical configuration-layer gaps that put organizations at undue risk.
In this blog post, we'll delve deeper into the consequences of misconfigurations in network devices and interior security lapses that open the door for lateral movement.
Network devices — such as routers, switches, and firewalls — serve as the backbone of any organization’s security infrastructure. When misconfigured, they leave gaping holes in your defenses, which can be exploited by cybercriminals. According to Gartner, 99% of all firewall breaches are caused by improper device configurations. Incorrect settings, outdated rules, or the lack of proper enforcement mechanisms can create significant security gaps that attackers are quick to exploit.
Misconfigurations often arise in areas such as access control, network protocols, and firewall rule sets. For example, it is not uncommon for outdated firewall rules to allow deprecated services, or for routers to expose internal networks to the public internet due to incorrect settings. Improper device configurations that handle Access Control Lists (ACLs) are particularly problematic. ACLs are essential for restricting access to network resources, but if improperly configured, they can allow unauthorized users access to critical systems.
For instance, Cisco VTY lines allow remote access to network devices. A typical misconfiguration occurs when Telnet, a non-secure protocol, (or “transport input all”) is allowed by default instead of SSH, which provides encryption for secure access. When organizations fail to secure these VTY lines, attackers can intercept login credentials and gain administrative access.
Rooted in human error, logic mistakes represent another common mistake in network configuration. Since ACL rules are processed in a serial manner, the right rule in the wrong place may not be effective. And there’s no immediate indication when this occurs, creating a perfect breeding ground for security time bombs. So even if you’ve denied traffic from a specific IP, that instruction may be superseded by a prior rule you didn’t notice that’s more permissive.
Directionality is not just important in the order of your ACL rules, but in the communications they oversee. Inbound and outbound traffic are treated separately. So it’s not uncommon to see rules written for “out” that were meant to be written for “in”. Again it’s not immediately obvious when this happens and it may not be noticed until it bears consequence. In most cases, those consequences are not the good type.
A notable example of the dangers of network device misconfigurations is the recent OWASP data breach, where a misconfigured server exposed résumés and personal information submitted between 2006 and 2014. The misconfiguration left the information accessible online, including names, addresses, phone numbers, and email addresses. This breach demonstrates how easily sensitive data can be exposed when security configurations are not properly enforced or monitored.
Although OWASP responded quickly to remove the exposed data, the breach underscored the potential harm caused by improper device configurations, especially when outdated systems or data repositories are involved. It’s a reminder that even long-standing, seemingly dormant systems need continuous review to prevent data leaks and unauthorized access.
Fortify the perimeter and relax. It sounds almost silly now, but there was a time not too long ago when this was the prevailing philosophy of security professionals. If only it were that easy! Nowadays, it’s pretty much a universally accepted best practice to architect our environments assuming the perimeter can and will be breached. In the interior, it often comes down to strong hygiene. Without it, it’s easy for intruders to move laterally.
Lateral movement is a common technique used by attackers to navigate through a network and access more sensitive or high-value targets. Lateral movement is often the difference between a breach that is quickly contained & closed and one that brings an organization to its knees.
According to VMware’s Global Incident Response Threat Report, lateral movement was observed in 25% of tracked attacks. Once inside the network, attackers use this strategy to expand their control and reach more critical systems, often without detection.
A lateral movement attack usually begins with gaining an initial foothold in a low-value or low-security system. From there, attackers move laterally across the network, hopping from device to device or system to system, escalating privileges, and exfiltrating valuable data.
Insecure configurations open the doors to lateral movement, increasing the scope and severity of breaches. When trying to move laterally, nothing makes an attacker's life easier than default credentials, mis-applied group policies, ineffective scripts, neglected admins, and general configuration drift. And once attackers can move laterally, they can bypass security measures intended to protect more critical parts of your network.
A recent example of the risks associated with lateral movement occurred during the Capital One data breach in 2019, where a former Amazon Web Services employee exploited a misconfigured firewall in Capital One’s cloud infrastructure. This allowed her to move laterally within the environment, eventually accessing and exfiltrating sensitive information belonging to over 100 million customers. Despite firewalls being in place, the misconfiguration created a vulnerability that went unnoticed until the damage was done.
This highlights the importance of tight system housekeeping and security management, especially on local systems and settings that may otherwise be overlooked. Better "housekeeping" ensures that each system is properly configured, and no doors are left open for attackers to exploit.
Lateral movement not only complicates breach containment but also increases the potential damage and long-term consequences for an organization. Closing off these pathways and maintaining a tightly run ship is critical for network security.
Smart endpoint configurations are really important to maintaining good overall security posture. They’re also widely overlooked and under-attended. If you’re wondering how both those things can be true at the same time, the answer’s simple: configurations are a huge pain to get right and an even bigger pain to keep right.
In this age of automation, most organizations are working without adequate supportive tooling. More often than not, it still mostly comes down to manual best efforts. That not only makes secure configuration management work a bummer, but it also makes it hard to justify in the constant juggling act of IT tasks and security projects. When it comes to reach and impact, no manual process can compete with a largely (or even partly) automated one!
And still ignoring misconfigured network devices or open avenues for lateral movement can leave your organization dangerously exposed. At GYTPOL we’re working to change that. We’ve developed a new generation of tools to support and ensure the security of endpoint configurations. With suitably advanced technologies, users can swiftly identify and rectify misconfigurations before attackers bring them to the fore.
Automatically detecting security gaps and hardening configurations — including for network devices — GYTPOL effortlessly improves posture and hardens security.