Did you hear about the hacking attack carried out a few years ago on AT&T that resulted in exposing the contact details of more than 100,000 iPad users that were stored on their system? It was one of the high-profile attacks that targeted a “security misconfiguration” vulnerability in AT&T’s system architecture.
That was not a one-off case. Online restaurant review site Zomato was also involved in a similar user confidentiality breach. A hacker exploited a known component vulnerability in Zomato’s web portal to retrieve the personal details of more than 62.5 million Zomato users, including their Instagram access tokens. Similar security breaches have been reported in the past that took advantage of insecure configuration of system components to compromise the security of distributed systems.
(Related: Two doses of Big Data beats one)
What is security misconfiguration?
Security misconfiguration is nothing but incorrectly configuring the security gateways in a web environment. The term commonly refers to the security threats that arise due to insecure configuration of underlying components in a web-based environment. Security weaknesses found in the configuration of a system may result in compromising the security of the environment, either partially or entirely.
Big Data and security misconfiguration
Security Misconfiguration vulnerabilities can affect any Big Data project that requires access to cloud-based resources over the web. As more and more Big Data initiatives are getting adapted to cloud-based solutions, platforms and applications, there is an ever-increasing risk of web-based security breaches related to configuration flaws in underlying systems, modules and components.
Common security misconfigurations that can affect your Big Data project
There are seven critical target areas in a web-based environment that are often targeted by attackers. Typical root causes for such vulnerabilities include implementation flaws, configuration errors and unchanged default settings. Let’s take a closer look at each of the seven soft targets that are susceptible to potential security misconfigurations.
- Unnecessary features/services in enabled state
A Big Data application is usually bundled with lots of features and services. Most of the projects won’t need all of these features. So what’s the point in keeping a certain feature/service in active mode if you are never going to use that? Disable all the unnecessary features and services right away. Doing so will save significant amount of server resources and minimize the threat surface area.
- Using default accounts
It is common for an application to have a default user account with administrative privileges, which is another soft target for the attackers. In a production environment, do away with all the default accounts and settings. If you need to use the default account for some reasons, then change the default password immediately and keep the new one safe.
- Overexposure of debugging information
Debugging information and error messages are vital for the developers and sys admins to find the root cause of a failure event. However, what if an attacker manages to get hold of those notifications? Detailed error messages can provide him enough information to compromise the security of your system. So it is a good practice to hide those details from general users and make them available only to the administrative users.
- Misconfigured SSL certificates
It is a common practice to safeguard sensitive data over the web by means of SSL encryption. Configuring SSL the right way is essential to establish secure connectivity between the end-user systems and hosted application on the cloud. Improper encryption key generation and management is a serious concern. The keys must be secured using a strong encryption algorithm. Ensure that sensitive data is kept under the wrap of encryption while being stored and transmitted. SSL gateways must be properly validated with penetration testing for detecting any potential vulnerabilities.
- Improper file and directory permissions
File and directory level permission is another area that is susceptible to hacking attempts. It is important to have well-defined user roles to prevent misuse of access rights. Any default access settings must be overruled with a proven access-control mechanism. Grant access privileges to individual users according to their needs. It’s a good idea to create a security policy to govern file and directory permission rights. Password-protected folders and directory structures can also be used to prevent unauthorized access to protected data.
- Improper authentication with external systems
Gone are the days of standalone systems that could cater to all computational needs. Nowadays Big Data initiatives involve using a wide array of systems and modules. It is important to safeguard the authentication gateways while integrating multiple systems. Each independent module must have its own set of user authentication functions. Implementing strict authentication mechanism for external systems is the way to achieve enhanced security. Ensure that the users are required to provide valid credentials (username/password) to access external systems and modules.
- Unpatched security flaws
Security is a continuous process. No system is 100% secure. New threat areas can be detected over time. Software manufacturers and application developers are constantly working to figure out the emerging threats to devise appropriate patches. It is a good practice to update your system with latest security patches as soon as they are released by the manufacturers.
Security misconfiguration vulnerabilities in Big Data projects can occur at any level, including (but not limited to) the business intelligence platform, web server console, applications hosted on the cloud, cloud-based storage mediums, and even the custom code modules. The need of the hour is to ensure that application developers and system administrators are working together to bridge the security lapses. The entire application stack has to be configured properly to prevent potential data security breaches.