_Borka_Kiss_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,0&ssl=1&description=May+Safety+Misconfigurations+Prime+OWASP+Record%3F){kind=link}
_Borka_Kiss_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,630&ssl=1 "May Safety Misconfigurations Prime OWASP Record?")
COMMENTARY
The convergence of rising cyber threats, superior synthetic intelligence (AI), distant work, and hybrid infrastructures presents vital cybersecurity challenges in right this moment’s IT panorama. Because of this, it is necessary to make your endpoints, cloud infrastructure, and distant entry channels safer. As cyber adversaries undertake new techniques, organizations worldwide reply by increasing the usage of steady risk publicity administration (CTEM) methods, investing in sturdy safety options, and leveraging cross-functional collaboration to mitigate dangers and safeguard digital belongings successfully.
However like Superman has kryptonite, even one of the best software program has weaknesses, with misconfigurations main the pack.
Contemplate this: Microsoft analysis signifies {that a} staggering 80% of ransomware assaults may be attributed to widespread configuration errors in software program and units.
Misconfigurations now maintain an unenviable fifth place on the Open Worldwide Utility Safety Undertaking Prime 10 — an important vulnerability reference for the cybersecurity neighborhood. OWASP discovered 208,000 occurrences of widespread weak point enumeration (CWE) inside 90% of purposes examined for misconfiguration, highlighting the widespread nature of this vulnerability.
OWASP says, “And not using a concerted, repeatable utility safety configuration course of, methods are at a better danger.”
With this proof, it is no marvel that organizations are paying extra consideration to “misconfigurations.”
Image This …
You are sitting down along with your morning cuppa and tales of a knowledge leak hit the headlines. The corporate affected is a number one insurance coverage agency, and the private info of hundreds of consumers has been made out there on the Web for months. With some research, you study that the agency left a number of buyer information unprotected on one in every of its clouds, making it simple for anybody to entry this info by way of a easy SQL command. Whereas digging by way of the tabloids you come upon the reason for such a tremendously ironic flip of occasions. Seems, it was a easy misconfiguration error: The system administrator left the cloud open to the general public since they missed updating the privateness settings and permissions for the cloud storage in query.
We study that human errors, regardless of stringent protocols, are tough to regulate and, consequentially, take away. The rising complexity of distributed and component-based methods and customary misunderstandings of system necessities and design will probably result in extra issues. Whereas people play a essential position in decision-making and monitoring methods, handbook updates are now not viable.
So, What Can You Do About It?
With all that is occurring in cybersecurity, are you able to confidently say you have got all of your endpoints lined? And by all, I imply all — together with the info on third-party methods. In case your reply to that is sure, congratulations! You are doing higher than most organizations on the earth! But when your reply isn’t any, I would really like you to think about the next measures to enhance the safety of your methods:
-
Make use of automation that extends DevOps from utility supply to IT operations to DevSecOps. Automation is the treatment that can assist organizations keep away from handbook errors. It can permit staff to make use of their valuable time for extra essential duties whereas confirming that preliminary and ongoing configurations are error-free. By automating audits on configurations, you possibly can create a repeatable system hardening course of that can doubtlessly prevent a number of money and time sooner or later. Automation will allow you to scale back human error, enhance reliability, preserve consistency, and assist collaboration throughout groups. It can additionally give all stakeholders visibility over the safety posture of your IT property.
-
Use a policy-as-code method to assist body your safety and compliance insurance policies or guidelines. Organizations can configure methods by encoding safety guidelines in human-readable and machine-enforceable insurance policies and constantly checking for and remediating drift. In truth, policy-as-code brings each configuration and compliance administration right into a single step. This removes the safety silo and brings all stakeholders right into a shared pipeline and framework, enabling collaboration amongst staff members and permitting for safety to be shifted left within the improvement course of. The policy-as-code method will help detect misconfigurations, improve effectivity and velocity, and scale back the chance of manufacturing errors.
Whereas there’s a technical side to DevSecOps, there’s additionally a human side that entails collaboration and planning. A multiprong method that begins with collaboration throughout IT operations and safety and compliance groups, whereas discussing the suitable exterior and inner compliance necessities, is a essential place to begin.
After understanding the configuration and insurance policies, you can begin with pre-packaged insurance policies that align with requirements resembling the Heart for Web Safety (CIS) Benchmarks and the Division of Protection Methods Company-Safety Technical Implementation Guides (DISA-STIG). Think about using an automatic system to confirm in case your configurations are constantly correct. This, in flip, will permit your group to deal with complicated and heterogeneous environments, together with cloud-native public cloud companies, Kubernetes configurations, and any on-premises or hybrid cloud workload.