What are misconfigurations?
It may be odd to think that in a digital landscape peopled with hackers, scammers, and crooks, all bent on obtaining and profiting off of private data stolen from governments and corporations, the biggest and most pervasive form of cyber risk comes from: you. Not external, malicious actors, like the kind of blackhat hackers responsible for some of the largest data breaches in recent history, nor even the state-sponsored cyber crime rings that recur in news reports. Such bad guys are certainly willing and able to exploit your errors, but the truth of the single biggest vector for cyber risk is far more prosaic and overlooked.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.
If this problem is a very common one that is woefully underexamined and of great risk to the integrity of digital systems, the good news is that there is a solution. By fostering cyber resilience, gaining full visibility into and control over the IT toolchain with real-time awareness of systems’ actual states, enterprises can ensure that the costliest effects of misconfiguration are avoided.
A misconfiguration is, in essence, the configuration of a digital system’s settings in such a way that the system behaves in a way contrary to expectations. Such a result is all too easy to have occur in an IT environment, particularly one operating at scale; whether through human error, a software update or patch, or a technical malfunction, it doesn’t take much for the state of an IT system to change in a way contrary to expectation.
The problem is not that such errors occur; they are probably unavoidable, the cost of doing business on risk surfaces that invite at least some level of possible dysfunction. The real trouble is that for most cyber enterprises, such misconfigurations are not quickly identified and remediated. Lacking full, accurate, and constantly updated knowledge of the actual state of IT systems, the misconfiguration lurks somewhere in the background, waiting to perhaps cause downtime and system crashes, expose sensitive data to public access, or permit unauthorized access through backdoors.
This is not an academic or theoretical concern; it is an active threat vector that has already exacted a massive cost for a number of major enterprises. As seen with Amazon’s February 2017 outage, one miskeyed command resulted in major system failures, showing how a simple human error was able to significantly disrupt the operations of one of the world’s most lucrative websites. A January 2015 outage of Facebook, sparked when the company “introduced a change that affected our configuration systems,” spread to sites like Tinder and Instagram that rely upon Facebook accounts for user authentication, showing how widely one misconfiguration can affect the wider IT ecosystem.
Downtime, while costly and damaging, is hardly the most serious possible outcome resulting from misconfigured systems. As seen through UpGuard’s work finding and helping to secure data exposures from firms linked to such enterprises as the Republican National Committeeand Verizon, the sensitive information of millions of people can easily be exposed by misconfigured systems — to be found and used by whatever members of the public come to download the data.
Lacking the ability to know when a misconfiguration is occurring forecloses on the possibility of doing something about it before damage can occur. If an enterprise cannot trust in its systems, the IT infrastructure may be doing more harm than good to the overall health and reputation of the organization.
Fortunately, there is a simple set of solutions that while straightforward, must be robustly employed to be effective. By gaining full visibility into the real states of IT systems, and knowing when unplanned changes occur, IT professionals can catch misconfigurations as they occur, remediating them easily and quickly. With the scale of many modern data centers becoming enormous, any other effort would be a constant search for needles in haystacks, an unsustainable and unnecessarily onerous task. By effecting cyber resilience for digital systems, administrators can know and trust in their systems, allowing them to ensure as little interruption of service or self-made risks from cohering as possible.
Over time, IT systems and their configuration items (CIs) invariably move towards a state of disorder. Left unchecked, these continuous changes to the environment’s software and hardware result in performance degradation, unanticipated downtime, data loss, non-compliant systems, cybersecurity events, and data breaches.