When there’s a cyber security incident, technology is often the first to take the blame, but it’s important to know that many weaknesses manifest in networks, systems, devices and software because they haven’t been deployed and configured correctly, or in some cases, they are still set to a default configuration.
In the 2022 DCMS Cyber Security Breaches Survey, it came to light that only 9% of respondents have changed or updated firewall or system configurations following a breach. Worryingly, the number or organisations proactively looking at their configuration is probably even lower.
While checking your systems and networks regularly with vulnerability scans and penetration tests are a vital element of your cyber security programme, what about the configuration of your systems and the tools you use? It’s kind of like checking your bicycle to make sure the seat is the right height and tyres have the right pressure, so you’ll be safe when riding it.
So, what is the solution for mitigating the risk associated with deploying new technology in your organisation? PGI’s Head of Cyber Operations, Chris Preece looks at why build and configuration reviews should be part of your implementation process.
What is a configuration assessment?
In a nutshell, when a security consultant is undertaking a configuration review, they are looking at the configuration settings of a system/ device/piece of software and reviewing it against industry best practice security settings to ensure that your infrastructure doesn’t have any holes that an attacker could exploit.
Whether we’re looking at a laptop, switch, a cloud network, a router or a Firewall, PGI’s red team will provide you with the information you need to ‘harden’ your infrastructure against vulnerabilities and cyber threats.
Why is configuration important?
Maybe you’ve seen a news article about a data leak a cloud service? These types of breaches can often occur due to a misconfiguration which threat actors can take advantage of; such as a cloud service that is being used for storing customer data not being configured correctly for the purpose, allowing anyone—both internally and externally—to access it.
If you go to a search engine and look up “data breach AWS s3” you’ll see plenty of examples of how misconfigurations have resulted in sensitive data being accessed by unauthorised persons. As an example, back in 2019, the personal information of more than 100 million of US bank, Capital One’s credit card applicants were leaked from their cloud-based storage by a software engineer who had developed a tool to scan AWS accounts to find those that are misconfigured.
Configuration reviews are a good starting point in reducing the attack surface of your systems, and helping to protect against common attack techniques. It also makes use of the regularly updated industry researcher findings, which contribute to the security best practice we align reviews with.
What are the types of configuration reviews?
If something can be configured (and even if you’re not sure!), we recommend reviewing it. We look at everything from servers, workstations, mobile devices and cloud environments to network devices. And within each of those categories, there are a wide range of variables such as manufacturer and operating system.
The assessments we are often engaged to do are for Gold Builds, which are pre-configured templates that enable your organisation to ensure a level of consistency across corporate device builds.
As an example, many organisations will create Gold Builds for specific deployments of desktops, laptops and servers.
In these cases, PGI is looking to restrict the opportunities for an attacker to get a foothold and escalate privileges on your network. There are common techniques they will use, and when the recommendations from the reviews are applied, it can significantly impede an attacker’s use of these techniques. The reviews will also check that patching is up-to-date, adding another layer of defence to deter any would-be attacker.
Gold Build templates, assessed against industry security best practice, provide high deployment efficiency and security assurance, reducing the risk of user error.
What about ‘working from anywhere’?
If people are working outside an office, we can ensure devices are configured to mitigate the risks associated with being connected to non-corporate networks. Perhaps you need to implement a cloud storage solution to enable your teams across different locations to work efficiently. Or maybe making sure that VPNs have been set up securely.
Don’t forget to change that default set up
Build and configuration reviews should be part of a holistic approach to security. Talk to our team about highlighting and demonstrating security opportunities that could be implemented to ‘harden’ your technical infrastructure and increase its resilience.
Contact us today to talk about how we can help.
Insights
Trust & Safety: A look ahead to 2025
Working within the Trust and Safety industry, 2024 has been PGI’s busiest year to date, both in our work with clients and our participation in key conversations, particularly around the future of regulation, the human-AI interface, and child safety.
Lies, damned lies, and AI - Digital Threat Digest
At their core, artificial systems are a series of relationships between intelligence, truth, and decision making.
A pointless digital jigsaw - Digital Threat Digest
Feeding the name of a new criminal to the online OSINT community is like waving a red rag to a bull. There’s an immediate scramble to be the first to find every piece of information out there on the target, and present it back in a nice network graph (bonus points if you’re using your own network graph product and the whole thing is a thinly veiled advert for why your Ghunt code wrap with its purple-backlit-round-edged-dynamic-element CSS is better than everyone else’s).