WEBVTT 1 00:00:00.090 --> 00:00:01.350 In this lesson, 2 00:00:01.350 --> 00:00:05.040 we will learn about configuration vulnerabilities. 3 00:00:05.040 --> 00:00:07.680 Configuration vulnerabilities occur 4 00:00:07.680 --> 00:00:10.860 when systems, applications, or networks 5 00:00:10.860 --> 00:00:13.170 are improperly configured. 6 00:00:13.170 --> 00:00:15.840 Configuration vulnerabilities include 7 00:00:15.840 --> 00:00:18.510 directory service misconfiguration, 8 00:00:18.510 --> 00:00:21.840 unsecure configuration, embedded secrets, 9 00:00:21.840 --> 00:00:25.470 outdated and unpatched software and libraries, 10 00:00:25.470 --> 00:00:28.260 as well as end-of-life software. 11 00:00:28.260 --> 00:00:30.960 Directory service misconfigurations 12 00:00:30.960 --> 00:00:35.430 are improper setup or management of directory services, 13 00:00:35.430 --> 00:00:37.470 such as Active Directory. 14 00:00:37.470 --> 00:00:42.150 Unsecure configurations are improperly set system settings 15 00:00:42.150 --> 00:00:46.920 or defaults that leave a system vulnerable to exploitation. 16 00:00:46.920 --> 00:00:50.340 Embedded secrets, such as hard-coded passwords 17 00:00:50.340 --> 00:00:53.160 or application programming interface keys, 18 00:00:53.160 --> 00:00:57.060 are sensitive credentials stored directly in the source code 19 00:00:57.060 --> 00:01:00.990 or configuration files, making them easily accessible 20 00:01:00.990 --> 00:01:04.890 to attackers who gain access to the codebase. 21 00:01:04.890 --> 00:01:08.610 Outdated or unpatched software and libraries 22 00:01:08.610 --> 00:01:11.340 often contain known vulnerabilities 23 00:01:11.340 --> 00:01:14.130 that have not been addressed by updates. 24 00:01:14.130 --> 00:01:16.500 And finally, end-of-life software 25 00:01:16.500 --> 00:01:20.640 are applications or systems that are no longer supported 26 00:01:20.640 --> 00:01:23.910 with security updates by the vendor. 27 00:01:23.910 --> 00:01:28.260 Let's learn more about directory service misconfiguration, 28 00:01:28.260 --> 00:01:31.770 insecure configuration, embedded secrets, 29 00:01:31.770 --> 00:01:35.160 outdated and unpatched software and libraries, 30 00:01:35.160 --> 00:01:38.040 as well as end-of-life software. 31 00:01:38.040 --> 00:01:42.330 First, we have directory service misconfiguration. 32 00:01:42.330 --> 00:01:45.810 Directory service misconfigurations often arise 33 00:01:45.810 --> 00:01:50.100 from improperly managed systems, such as Active Directory, 34 00:01:50.100 --> 00:01:53.550 where insufficient attention to access controls 35 00:01:53.550 --> 00:01:57.690 leads to unauthorized access or data exposure. 36 00:01:57.690 --> 00:02:00.420 These vulnerabilities are frequently due 37 00:02:00.420 --> 00:02:04.800 to inadequately structured permissions or lack of oversight 38 00:02:04.800 --> 00:02:08.370 in managing user and group access rights. 39 00:02:08.370 --> 00:02:11.010 For example, some organizations 40 00:02:11.010 --> 00:02:14.100 mistakenly apply broad access permissions 41 00:02:14.100 --> 00:02:16.410 across entire user groups 42 00:02:16.410 --> 00:02:19.980 without fully evaluating the potential impact. 43 00:02:19.980 --> 00:02:23.040 This can result in lower-privileged users 44 00:02:23.040 --> 00:02:27.210 obtaining access to sensitive or administrative resources, 45 00:02:27.210 --> 00:02:31.740 creating opportunities for attackers to escalate privileges. 46 00:02:31.740 --> 00:02:35.550 For instance, a company may grant excessive permissions 47 00:02:35.550 --> 00:02:37.830 within its Active Directory, 48 00:02:37.830 --> 00:02:41.490 failing to restrict specific group actions. 49 00:02:41.490 --> 00:02:44.400 So, a user might belong to a group 50 00:02:44.400 --> 00:02:48.360 that has rights to modify other users with higher privileges 51 00:02:48.360 --> 00:02:50.490 or to adjust security groups, 52 00:02:50.490 --> 00:02:53.970 inadvertently allowing privilege escalation. 53 00:02:53.970 --> 00:02:56.940 These kinds of configuration weaknesses 54 00:02:56.940 --> 00:02:59.730 can go unnoticed in standard audits 55 00:02:59.730 --> 00:03:03.000 due to the complexity of interdependencies 56 00:03:03.000 --> 00:03:05.460 within directory structures. 57 00:03:05.460 --> 00:03:07.560 Misconfigurations like these 58 00:03:07.560 --> 00:03:10.620 introduce significant security risks 59 00:03:10.620 --> 00:03:14.820 if the organizations don't implement robust group policies, 60 00:03:14.820 --> 00:03:19.320 granular permissions, and strict password requirements. 61 00:03:19.320 --> 00:03:22.290 As a result, attackers frequently target 62 00:03:22.290 --> 00:03:26.430 directory service misconfigurations as entry points, 63 00:03:26.430 --> 00:03:28.530 using tools like BloodHound 64 00:03:28.530 --> 00:03:30.750 to map complex dependencies 65 00:03:30.750 --> 00:03:34.590 and identify hidden privilege escalation paths. 66 00:03:34.590 --> 00:03:36.780 BloodHound is highly effective 67 00:03:36.780 --> 00:03:39.300 in revealing intricate relationships 68 00:03:39.300 --> 00:03:41.250 within Active Directory, 69 00:03:41.250 --> 00:03:43.800 such as nested group memberships, 70 00:03:43.800 --> 00:03:47.010 trust paths, and permission inheritance, 71 00:03:47.010 --> 00:03:49.440 which might otherwise go unnoticed 72 00:03:49.440 --> 00:03:53.790 and allow an attacker a clear view of escalation pathways, 73 00:03:53.790 --> 00:03:56.670 enabling them to move laterally through the network, 74 00:03:56.670 --> 00:03:58.890 gain access to privileged accounts, 75 00:03:58.890 --> 00:04:01.080 and compromise sensitive data. 76 00:04:01.080 --> 00:04:03.960 Organizations can mitigate these risks 77 00:04:03.960 --> 00:04:07.350 by enforcing least-privilege access policies, 78 00:04:07.350 --> 00:04:10.590 routinely auditing directory configurations, 79 00:04:10.590 --> 00:04:12.540 and using monitoring tools 80 00:04:12.540 --> 00:04:17.540 to detect unusual access patterns within directory services. 81 00:04:17.670 --> 00:04:20.880 Second, we have unsecure configuration. 82 00:04:20.880 --> 00:04:23.670 Unsecure configurations often result 83 00:04:23.670 --> 00:04:26.910 from improperly set system parameters, 84 00:04:26.910 --> 00:04:30.240 frequently due to reliance on default settings 85 00:04:30.240 --> 00:04:34.950 or insufficient understanding of specific configurations. 86 00:04:34.950 --> 00:04:38.490 Many times, vendors' default configurations 87 00:04:38.490 --> 00:04:41.340 or even their recommended configurations 88 00:04:41.340 --> 00:04:45.780 prioritize usability and functionality over security, 89 00:04:45.780 --> 00:04:48.180 which can leave systems exposed. 90 00:04:48.180 --> 00:04:51.990 Default settings might include open services 91 00:04:51.990 --> 00:04:55.470 or management ports to simplify initial setup, 92 00:04:55.470 --> 00:04:58.050 but they are typically not intended 93 00:04:58.050 --> 00:05:00.420 for long-term production use. 94 00:05:00.420 --> 00:05:03.060 For example, a web server deployed 95 00:05:03.060 --> 00:05:08.060 with the default SSH port open and weak SSH credentials 96 00:05:08.310 --> 00:05:10.590 could become a security risk. 97 00:05:10.590 --> 00:05:13.080 If an attacker discovers these credentials, 98 00:05:13.080 --> 00:05:16.050 they could gain root access through SSH, 99 00:05:16.050 --> 00:05:19.110 allowing them to move laterally within the network. 100 00:05:19.110 --> 00:05:22.800 So, the consequences of unsecure configurations 101 00:05:22.800 --> 00:05:24.180 can be severe, 102 00:05:24.180 --> 00:05:27.240 especially when attackers leverage these weaknesses 103 00:05:27.240 --> 00:05:31.890 to gain unauthorized access or compromise system integrity. 104 00:05:31.890 --> 00:05:35.280 For instance, poorly configured firewall rules 105 00:05:35.280 --> 00:05:39.540 may allow unnecessary inbound or outbound traffic 106 00:05:39.540 --> 00:05:43.680 from untrusted networks, raising the risk of a breach. 107 00:05:43.680 --> 00:05:46.920 Additionally, unmodified default settings 108 00:05:46.920 --> 00:05:49.500 might leave administrative interfaces 109 00:05:49.500 --> 00:05:52.710 unintentionally accessible to the public. 110 00:05:52.710 --> 00:05:55.710 An example of an unsecure configuration 111 00:05:55.710 --> 00:06:00.540 leading to a breach involved Capital One in 2019, 112 00:06:00.540 --> 00:06:04.170 where misconfigured settings in the cloud infrastructure 113 00:06:04.170 --> 00:06:06.960 allowed a former AWS employee 114 00:06:06.960 --> 00:06:10.020 to allegedly exploit security oversights 115 00:06:10.020 --> 00:06:12.840 in the Amazon Web Services setup. 116 00:06:12.840 --> 00:06:17.430 These issues included insufficiently defined firewall rules, 117 00:06:17.430 --> 00:06:18.930 which enabled the attacker 118 00:06:18.930 --> 00:06:22.470 to scan and access misconfigured resources, 119 00:06:22.470 --> 00:06:25.620 specifically a web application firewall, 120 00:06:25.620 --> 00:06:27.720 to retrieve sensitive data. 121 00:06:27.720 --> 00:06:31.440 Due to these misconfigurations, the attacker accessed 122 00:06:31.440 --> 00:06:34.890 approximately 100 million customer records, 123 00:06:34.890 --> 00:06:37.200 including Social Security numbers, 124 00:06:37.200 --> 00:06:39.990 credit scores, and transaction data. 125 00:06:39.990 --> 00:06:42.780 This breach caused significant financial 126 00:06:42.780 --> 00:06:45.780 and reputational damage to Capital One 127 00:06:45.780 --> 00:06:49.080 and led to increased regulatory scrutiny. 128 00:06:49.080 --> 00:06:52.560 This incident highlights the need for organizations 129 00:06:52.560 --> 00:06:55.890 to scrutinize cloud configurations carefully, 130 00:06:55.890 --> 00:06:58.530 as vendor-provided or default settings 131 00:06:58.530 --> 00:07:02.340 do not always align with strong security standards. 132 00:07:02.340 --> 00:07:06.360 To mitigate these risks, organizations must prioritize 133 00:07:06.360 --> 00:07:08.700 thorough configuration hardening, 134 00:07:08.700 --> 00:07:11.550 regularly audit cloud security settings, 135 00:07:11.550 --> 00:07:13.860 and adhere to best practices, 136 00:07:13.860 --> 00:07:17.250 such as implementing strict network isolation 137 00:07:17.250 --> 00:07:19.890 and layered access controls. 138 00:07:19.890 --> 00:07:22.710 Third, we have embedded secrets. 139 00:07:22.710 --> 00:07:26.250 Embedded secrets, such as hard-coded passwords, 140 00:07:26.250 --> 00:07:29.070 application programming interface keys, 141 00:07:29.070 --> 00:07:32.280 or other credentials stored directly in source code 142 00:07:32.280 --> 00:07:35.850 or configuration files present a serious risk. 143 00:07:35.850 --> 00:07:38.490 When embedded secrets are exposed, 144 00:07:38.490 --> 00:07:42.240 attackers can use them to gain unauthorized access 145 00:07:42.240 --> 00:07:44.550 to critical systems or data. 146 00:07:44.550 --> 00:07:48.120 A notable example of exposed embedded secrets 147 00:07:48.120 --> 00:07:52.590 occurred in 2021 with the technology company Twilio, 148 00:07:52.590 --> 00:07:55.410 where developers accidentally pushed code 149 00:07:55.410 --> 00:08:00.030 to a public GitHub repository containing sensitive API, 150 00:08:00.030 --> 00:08:04.050 or application programming interface, keys and credentials 151 00:08:04.050 --> 00:08:06.900 for Twilio's internal services. 152 00:08:06.900 --> 00:08:09.150 Attackers found these credentials 153 00:08:09.150 --> 00:08:12.660 and used them to access Twilio's infrastructure, 154 00:08:12.660 --> 00:08:14.880 gaining unauthorized access 155 00:08:14.880 --> 00:08:18.960 to specific customer data and internal tools. 156 00:08:18.960 --> 00:08:22.890 Twilio acted quickly to rotate compromised credentials 157 00:08:22.890 --> 00:08:25.230 and notify affected customers, 158 00:08:25.230 --> 00:08:27.120 but the incident emphasized 159 00:08:27.120 --> 00:08:31.650 the risks associated with embedded secrets in code. 160 00:08:31.650 --> 00:08:34.230 So, the danger of embedded secrets 161 00:08:34.230 --> 00:08:37.200 lies in their widespread accessibility 162 00:08:37.200 --> 00:08:39.540 once included in a codebase, 163 00:08:39.540 --> 00:08:43.560 increasing the risk of exposure through insider threats 164 00:08:43.560 --> 00:08:45.540 or inadvertent leaks. 165 00:08:45.540 --> 00:08:48.390 Organizations can mitigate these risks 166 00:08:48.390 --> 00:08:52.950 by using a secrets management tool like HashiCorp Vault 167 00:08:52.950 --> 00:08:55.590 or AWS Secrets Manager. 168 00:08:55.590 --> 00:08:57.570 These provide secure storage 169 00:08:57.570 --> 00:09:00.090 and controlled access to credentials, 170 00:09:00.090 --> 00:09:03.480 separating sensitive information from code. 171 00:09:03.480 --> 00:09:06.090 Additionally, automated scanning tools 172 00:09:06.090 --> 00:09:10.260 can help detect embedded secrets within repositories, 173 00:09:10.260 --> 00:09:12.840 preventing accidental exposure. 174 00:09:12.840 --> 00:09:15.390 In the end, by proactively securing 175 00:09:15.390 --> 00:09:18.150 and regularly auditing repositories, 176 00:09:18.150 --> 00:09:21.090 companies can reduce the likelihood of breaches 177 00:09:21.090 --> 00:09:23.820 and better protect their internal systems 178 00:09:23.820 --> 00:09:26.070 from unauthorized access. 179 00:09:26.070 --> 00:09:28.110 Fourth, we have outdated 180 00:09:28.110 --> 00:09:31.140 and unpatched software and libraries. 181 00:09:31.140 --> 00:09:33.840 Outdated or unpatched software and libraries 182 00:09:33.840 --> 00:09:36.390 often contain known vulnerabilities 183 00:09:36.390 --> 00:09:38.430 that attackers can exploit. 184 00:09:38.430 --> 00:09:41.820 Many cyberattacks target these vulnerabilities 185 00:09:41.820 --> 00:09:44.850 because attackers are aware that organizations 186 00:09:44.850 --> 00:09:48.030 may fail to apply patches properly. 187 00:09:48.030 --> 00:09:52.230 An example of the risks of outdated or unpatched software 188 00:09:52.230 --> 00:09:56.910 occurred in 2021 with the Xelion data breach. 189 00:09:56.910 --> 00:10:01.680 Xelion, a company providing secure file transfer solutions, 190 00:10:01.680 --> 00:10:05.850 had an older version of its file transfer appliance software 191 00:10:05.850 --> 00:10:08.280 in use with multiple clients. 192 00:10:08.280 --> 00:10:10.800 Attackers exploited a vulnerability 193 00:10:10.800 --> 00:10:13.560 in this unpatched, outdated software, 194 00:10:13.560 --> 00:10:16.920 gaining unauthorized access to sensitive data 195 00:10:16.920 --> 00:10:19.410 stored in client environments. 196 00:10:19.410 --> 00:10:23.880 Notably, clients such as the Reserve Bank of New Zealand, 197 00:10:23.880 --> 00:10:27.120 the Washington State Auditor's Office, and others 198 00:10:27.120 --> 00:10:30.930 suffered significant data breaches during this attack. 199 00:10:30.930 --> 00:10:34.440 The incident exposed millions of personal records 200 00:10:34.440 --> 00:10:36.090 and confidential files, 201 00:10:36.090 --> 00:10:39.630 including financial information and private records, 202 00:10:39.630 --> 00:10:43.770 underscoring the severe risk of outdated software. 203 00:10:43.770 --> 00:10:45.570 Using outdated software 204 00:10:45.570 --> 00:10:48.690 can also introduce compatibility issues, 205 00:10:48.690 --> 00:10:51.210 affecting an organization's ability 206 00:10:51.210 --> 00:10:54.960 to secure their broader IT ecosystem. 207 00:10:54.960 --> 00:10:58.350 For example, unsupported versions of software 208 00:10:58.350 --> 00:11:00.420 often lack compatibility 209 00:11:00.420 --> 00:11:03.510 with the latest security features and protocols, 210 00:11:03.510 --> 00:11:04.770 making it challenging 211 00:11:04.770 --> 00:11:08.070 to enforce security policies effectively. 212 00:11:08.070 --> 00:11:12.300 Additionally, attackers frequently use automated tools 213 00:11:12.300 --> 00:11:15.150 to scan for these known vulnerabilities, 214 00:11:15.150 --> 00:11:17.460 increasing the risk of exposure 215 00:11:17.460 --> 00:11:20.880 for organizations with outdated software. 216 00:11:20.880 --> 00:11:24.000 A comprehensive vulnerability management plan, 217 00:11:24.000 --> 00:11:26.100 which includes routine patching 218 00:11:26.100 --> 00:11:28.920 and upgrading of software and libraries, 219 00:11:28.920 --> 00:11:32.880 can prevent these vulnerabilities from being exploited. 220 00:11:32.880 --> 00:11:36.360 Organizations should also consider implementing 221 00:11:36.360 --> 00:11:38.670 automated patch management systems 222 00:11:38.670 --> 00:11:40.950 to reduce the manual workload 223 00:11:40.950 --> 00:11:45.000 and minimize delays in applying critical updates. 224 00:11:45.000 --> 00:11:49.020 Fifth and last, we have end-of-life software. 225 00:11:49.020 --> 00:11:51.030 End-of-life software is software 226 00:11:51.030 --> 00:11:54.090 that no longer receives security updates 227 00:11:54.090 --> 00:11:56.010 or support from the vendor, 228 00:11:56.010 --> 00:11:59.940 making it particularly vulnerable to exploitation. 229 00:11:59.940 --> 00:12:02.370 When vendors stop providing updates, 230 00:12:02.370 --> 00:12:06.630 any newly discovered vulnerabilities remain unpatched, 231 00:12:06.630 --> 00:12:09.450 creating easy targets for attackers. 232 00:12:09.450 --> 00:12:12.120 For instance, Windows 10 is projected 233 00:12:12.120 --> 00:12:16.170 to reach its end of life in October of 2025, 234 00:12:16.170 --> 00:12:20.460 meaning Microsoft will no longer provide security updates 235 00:12:20.460 --> 00:12:24.420 or patches for this widely used operating system. 236 00:12:24.420 --> 00:12:27.930 Organizations that continue to rely on Windows 10 237 00:12:27.930 --> 00:12:30.870 beyond this date for critical operations 238 00:12:30.870 --> 00:12:32.970 will face increased risks, 239 00:12:32.970 --> 00:12:36.570 as attackers frequently target end-of-life software 240 00:12:36.570 --> 00:12:41.070 with unpatched vulnerabilities to gain unauthorized access. 241 00:12:41.070 --> 00:12:43.740 So, relying on end-of-life software 242 00:12:43.740 --> 00:12:46.110 without a risk mitigation plan 243 00:12:46.110 --> 00:12:49.770 leaves systems and data exposed to attack. 244 00:12:49.770 --> 00:12:51.900 Additionally, end-of-life software 245 00:12:51.900 --> 00:12:55.230 that cannot support updated security standards 246 00:12:55.230 --> 00:12:57.510 could result in hefty fines, 247 00:12:57.510 --> 00:13:01.710 particularly for organizations governed by regulations 248 00:13:01.710 --> 00:13:03.750 like the Health Insurance 249 00:13:03.750 --> 00:13:06.660 Portability and Accountability Act, or HIPAA, 250 00:13:06.660 --> 00:13:10.020 or the Payment Card Industry Data Security Standard, 251 00:13:10.020 --> 00:13:12.030 or PCI DSS. 252 00:13:12.030 --> 00:13:13.710 To address these risks, 253 00:13:13.710 --> 00:13:17.100 organizations should plan for timely migration 254 00:13:17.100 --> 00:13:19.380 to supported operating systems 255 00:13:19.380 --> 00:13:22.260 and implement compensating controls. 256 00:13:22.260 --> 00:13:25.500 For example, isolating end-of-life systems 257 00:13:25.500 --> 00:13:28.620 from the main network and restricting access 258 00:13:28.620 --> 00:13:32.670 can provide interim and compensating protection. 259 00:13:32.670 --> 00:13:36.630 Finally, proactively phasing out end-of-life software 260 00:13:36.630 --> 00:13:39.300 through careful planning and transitioning 261 00:13:39.300 --> 00:13:40.800 to supported versions 262 00:13:40.800 --> 00:13:44.730 ensures continued compliance and security. 263 00:13:44.730 --> 00:13:48.210 For legacy systems that must remain active, 264 00:13:48.210 --> 00:13:50.640 isolation, restricted access, 265 00:13:50.640 --> 00:13:53.280 and robust compensating controls 266 00:13:53.280 --> 00:13:57.780 should be applied until a complete migration can be achieved 267 00:13:57.780 --> 00:14:01.770 to maintain a secure operational environment. 268 00:14:01.770 --> 00:14:06.630 So, remember, configuration vulnerabilities arise 269 00:14:06.630 --> 00:14:10.200 when systems, applications, or networks 270 00:14:10.200 --> 00:14:12.360 are improperly set up, 271 00:14:12.360 --> 00:14:15.900 leaving them exposed to potential attacks. 272 00:14:15.900 --> 00:14:18.570 These vulnerabilities include issues 273 00:14:18.570 --> 00:14:20.570 like directory service misconfiguration, 274 00:14:21.540 --> 00:14:23.730 where improper access controls 275 00:14:23.730 --> 00:14:27.150 can lead to unauthorized data exposure. 276 00:14:27.150 --> 00:14:29.790 Next, unsecure configuration, 277 00:14:29.790 --> 00:14:32.910 where default settings or inadequate adjustments 278 00:14:32.910 --> 00:14:36.300 can leave services open to exploitation. 279 00:14:36.300 --> 00:14:39.630 Embedded secrets, such as hard-coded passwords 280 00:14:39.630 --> 00:14:42.630 or application programming interface keys 281 00:14:42.630 --> 00:14:44.430 stored directly in code, 282 00:14:44.430 --> 00:14:47.400 present high risks by exposing credentials 283 00:14:47.400 --> 00:14:51.660 that attackers can use to access internal systems. 284 00:14:51.660 --> 00:14:55.860 Next, outdated or unpatched software and libraries 285 00:14:55.860 --> 00:15:00.330 may contain known vulnerabilities when left without updates, 286 00:15:00.330 --> 00:15:03.450 making them easy targets for attackers. 287 00:15:03.450 --> 00:15:05.820 Finally, end-of-life software 288 00:15:05.820 --> 00:15:10.380 which no longer receives vendor support or security updates 289 00:15:10.380 --> 00:15:12.540 creates ongoing risk, 290 00:15:12.540 --> 00:15:16.080 especially as new vulnerabilities emerge. 291 00:15:16.080 --> 00:15:19.230 So, these vulnerabilities should be addressed 292 00:15:19.230 --> 00:15:21.540 through regular audits, updates, 293 00:15:21.540 --> 00:15:24.573 and secure configuration practices.