The Graylog blog

Security Misconfigurations: A Deep Dive

Managing configurations in a complex environment can be like playing a game of digital Jenga. Turning off one port to protect an application can undermine the service of a connected device. Writing an overly conservative firewall configuration can prevent remote workforce members from accessing an application that’s critical to getting their work done. In the business world that runs on Software-as-a-Service (SaaS) applications and the Application Programming Interfaces (APIs) that allow them to communicate, a lot of your security is based on the settings you use and the code that you write.


Security misconfigurations keep creeping up the OWASP Top 10 Lists for applications, APIs, and mobile devices because they are security weaknesses that can be difficult to detect until an attacker uses them against you. With insight into what security misconfigurations are and how to mitigate risk, you can create the programs and processes that help you protect your organization.

What are Security Misconfigurations?

Security misconfigurations are insecure default settings that remain in place during and after system deployment. They can occur anywhere within the organization’s environment because they can arise from:

  • Operating systems
  • Network devices their settings
  • Web servers
  • Databases
  • Applications


Organizations typically implement hardening across their environment by changing settings to limit where, how, when, and with whom technologies communicate. Some examples of security misconfigurations may include failing to:

  • Disable or uninstall unnecessary features, like ports, services, accounts, API HTTP verbs, API logging features
  • Change default passwords
  • Limit the information that error messages send to users
  • Update operating systems, software, and APIs with security patches
  • Set secure values for application servers, application frameworks, libraries, and databases
  • Use Transport Layer Security (TLS) for APIs
  • Restrict Cross-Origin resource sharing (CORS)


Security Misconfigurations: Why Do They Happen?

Today’s environments consist of complex, interconnected technologies. While all the different applications and devices make business easier, they make security configuration management far more challenging.


Typical reasons that security misconfigurations happen include:

  • Complexity: Highly interconnected systems can make identifying and implementing all possible security configurations difficult.
  • Patches: Updating software and systems can have a domino effect across all interconnected technologies that can change a configuration’s security.
  • Hardware upgrades: Adding new servers or moving to cloud can change configurations at hardware and software level.
  • Troubleshooting: Fixing a network, application, or operating system issue to maintain service availability may impact other configurations.
  • Unauthorized changes: Failing to follow change management processes for adding new technologies or fixing issues can impact interconnections, like users connecting corporate email to authorize API access for an unsanctioned web application.
  • Poor documentation: Failure to document baselines and configuration changes can lead to lack of visibility across the environment.

Common Types of Security Misconfiguration Vulnerabilities

To protect your systems against cyber attacks, you should understand what some common security misconfigurations are and what they look like.

  • Improperly Configured Databases: overly permissive access rights or lack of authentication
  • Unsecured Cloud Storage: lack of encryption or weak access controls
  • Default or Weak Passwords: failure to change passwords or poor password hygiene leading to credential-based attacks
  • Misconfigured Firewalls or Network Settings: poor network segmentation, permissive firewall settings, open ports left unsecured
  • Outdated Software or Firmware: failing to install software, firmware, or API security updates or patches that fix bugs
  • Inactive Pages: failure to include noopener or noreferrer attributes in a website or web application
  • Unneeded Services/Features: leaving network services available and ports open, like web servers, file share servers, proxy servers FTP servers, Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Secure Shell Protocol (SSH)
  • Inadequate Access Controls: failure to implement and enforce access policies that limit user interaction, like the principle of least privilege for user access, deny-by-default for resources, or lack of API authentication and authorization
  • Unprotected Folders and Files: using predictable, guessable file names and locations that identify critical systems or data
  • Improper error messages: API error messages returning data such as stack traces, system information, database structure, or custom signatures

Best Practices for Preventing Security Misconfiguration Vulnerabilities

As you connect more SaaS applications and use more APIs, monitoring for security misconfigurations becomes critical to your security posture.

Implement a hardening process

Hardening is the process of choosing the configurations for your technology stack that limit unauthorized external access and use. For example, many organizations use the CIS Benchmarks that provide configuration recommendations for over twenty-five vendor product families. Organizations in the Defense Industrial Base (DIB) use the Department of Defense (DoD) Security Technical Implementation Guides (STIGs).


Your hardening processes should include a change management process that:

  • Sets and documents baselines
  • Identifies changes in the environment
  • Reviews whether changes are authorized
  • Allows, blocks, or rolls back changes as appropriate
  • Updates baselines and documentation to reflect allowed changes

Implement a vulnerability management and remediation program

Vulnerability scanners can identify common vulnerabilities and exposures (CVEs) on network-connected devices. Your vulnerability management and remediation program should:

  • Define critical assets: know the devices, resources, and users that impact the business the most
  • Assign ownership: identify the people responsible for managing and updating critical assets
  • Identify vulnerabilities: use penetration tests, red teaming, and automated tools, like vulnerability scanners
  • Prioritize vulnerabilities: combine a vulnerability’s severity and exploitability to determine the ones that pose the highest risk to the organization’s business operations
  • Identify and monitor key performance indicators (KPIs): set metrics to determine the program’s effectiveness, including number of assets managed, number of assets scanned per month, frequency of scans, percentage of scanned assets containing vulnerabilities, percentage of vulnerabilities fixed within 30, 60, and 90 days


Monitor User and Entity Activity

Security misconfigurations often lead to unauthorized access. To mitigate risk, you should implement best authentication, authorization, and access practices that include:

  • Multifactor Authentication: requiring users to provide two or more of the following: something they know (password), something they have (token/smartphone), or something they are (fingerprint or face ID)
  • Role-based access controls (RBAC): granting the least amount of access to resources based on their job functions
  • Activity baselines: understanding normal user and entity behavior to identify anomalous activity
  • Monitoring: identifying activity spikes like file permission changes, modifications, and deletions across email servers, webmail, removable media, and DNS


Implement and monitor API Security

APIs are the way that applications talk to one another, often sharing sensitive data. Many companies struggle to manage the explosion of APIs that their digital transformation strategies created, creating security weaknesses that attackers seek to exploit. To mitigate these risks, you should implement a holistic API security monitoring program that includes:

  • Continuously discovering APIs across the environment
  • Scanning all API traffic at runtime
  • Categorizing API calls
  • Sorting API traffic into domain buckets
  • Automatically assessing risk
  • Prioritizing remediation action using context that includes activity and intensity
  • Capturing unfiltered API request and response details



Graylog Security and Graylog API Security: Helping Detect and Remediate Security Misconfigurations

Built on the Graylog Platform, Graylog Security gives you the features and functionality of a SIEM while eliminating the complexity and reducing costs. With our easy to deploy and use solution, you get the combined power of centralized log management, data enrichment and normalization, correlation, threat detection, incident investigation, anomaly detection, and reporting.


Graylog API Security is continuous API security, scanning all API traffic at runtime for active attacks and threats. Mapped to security and quality rules like OWASP Top 10, Graylog API Security captures complete request and response detail, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence. With visibility inside the perimeter, organizations can detect attack traffic from valid users before it reaches their applications.


With Graylog’s prebuilt content, you don’t have to worry about choosing the server log data you want because we do it for you. Graylog Illuminate content packs automate the visualization, management, and correlation of your log data, eliminating the manual processes for building dashboards and setting alerts.


Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.