In this lesson I'll talk about misconfiguration. By the end of the lesson, you should be able to tell me what misconfiguration is and discuss the risks and threats surrounding misconfiguration. Let's talk about what misconfiguration actually is. Well, just like it sounds, it's incorrectly configuring software safeguards or incorrectly configuring something else on the system or forgetting to actually configure something on the system. This typically Is more prevalent in web applications. But, we can see this in any type of system, like a Windows system or Linux system. And we forget to lock something down or we actually open up something that we didn't intend to open up. This is so prevalent in fact that it's number five on OWASP Top Ten Security Controls. Again, so this could be ports, this could be a number of different things, but more specifically, let's talk about a few examples. Disabling default accounts. Wireless routers are notorious for this. If you have a D-Link wireless router, for example. They used to like, and I haven't bought a D-Link router in a long time, but what they used to do, is they used to have an admin account and then they also had what they called a user account and you know what, everybody would configure the admin account to have secure password so nobody could get into it but you know what they forgot about? They forgot to secure the user account, then all somebody had to do was just log in as a normal user on the account. Next one is not setting an update schedule. So Windows and Linux, it's a little bit more difficult in Linux, however in Windows, we can easily schedule updates to be performed at a certain time. Linux, you have to write a script generally to install updates. But there are systems that can do this for you and scripts, definitely, out there that can do this for you. So what does updating do? Well, it locks down the operating system. It patches holes that the manufacturers have found. Removing set up files. WordPress is one of those. Drupal, Joomla and a few other web applications that a lot of people use, have set up files. What the set up files allows us to do is it allows us to browse to the directory in which the install files are in and allows us to run the script execution in order to install the software. Well, if you forget to delete that install folder or the install script, another user can go in and rerun the setup files and do whatever they want to with that system because it has the privileges. Closing open ports. Done this a whole lot of times in Linux and in Windows. We forget to lock down something. Using insecure ports like on LDAP, SSH, Telnet. We could be using ports that should be used securely and not insecurely. Not setting a password is another thing. So anonymous access from an FTP server, for example, or what about unnecessary services are enabled? Do you want Bluetooth on a server in Linux or even in Windows? Yes, it's probably there, but that opens up a hole for somebody to break into. Default certificates. There was an issue a few years ago with Lenovo where there was a third-party certificate installed that actually allowed access to the entire system. Now, I have actually seen every one of these misconfiguration examples In some size, shape or form. And you know what, 90% of these, I've actually misconfigured myself on the first try. I've forgotten to delete files. I've forgotten to close down ports. I've forgotten to set a password on an account or leave an anonymous account open. I've done it all. So, be aware that those are threats that are coming into your systems, and something to look out for when you are securing your systems. Okay, attackers are usually external. So, they are looking for ways to get in. A great website to go look at is called Shodan. It's actually run out of somebody from the higher education community, puts on the site. But what it does is scours the Internet, looking for things that are misconfigured. So if you go to Shodan and if you type in password, for example, now you do have to pay for the service. We get it In higher education. We actually get access for free. The security guys get it for free. But, you could just type in the word password and you would see all the websites out there or all the webcams, all the routers, all the switches, everything that is using insecure technology, for example, like using the user name, admin and the password of password, for example, will show up in that search engine. This could be intentional or it could be unintentional, but intentionally leaving something open because it's more convenient for somebody is not a good excuse for security or insecurity for that matter. Exploitability is easy because some admin forgot to set something up. We need our security groups to go look through everything on a server when it's first set up, or a service to ensure that the service is safe. Understanding what can happen, and understanding where anything can happen in the application stack is also something that we should be looking at. There's really risks and threats to any part of the system, and everything that the application has access to, or the service, or the system. So, we have to understand and go through each of the configuration steps when we're setting up software in order to make sure that we don't have any holes. Okay let's talk about OWASP Top Ten list real quick. We're going to learn about this in another video, but The A-5, or the Axis Control number five is security misconfiguration, I'm sorry. They give a few examples. And any of the Top Ten give examples of what this actually means. So Scenario #1. The app server admin console is automatically installed and not removed, like WordPress or Joomla. So, default accounts aren't changed like admin or user. Attacker discovers a standard admin page on your server and logs in with the default user name and password and then takes over. Okay, another scenario would be an app server configuration allows stack traces to be returned to the user, potentially exposing underlying flaws. Attackers love when there's extra information, an error message actually pops up like a server unhandled exception, for example. I actually was at a retailer, I won't say who, but it's at least in the top 50 in the world, probably within the top ten. I won't tell you which one it is, but I actually was in one of their stores and I was browsing until an unhandled exception popped up in their application. What this meant to me is that they have an issue. There is a flaw and if I wanted to actually reverse engineer that, I could find a security hole and break into their entire application. So, you have to be aware of the threats out there and the configuration steps that all software takes in order to be configured securely.