You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.

Don’t dice with the default: why Secure Configuration of your systems is vital

You’ve bought and installed the latest software or device, guaranteed to speed up your business functions, transform tasks for your teams, or to update a clunky out-of-date programme you were limping along on. It’s a big investment and one you’re keen to start using right away.

Luckily, to make your life easier, the manufacturer has set everything up on the new software as default. No tricky passwords or endless configuration steps – everything is sorted to be as open and multi-functional as possible. Because no-one wants to be faffing around at the point of set-up. We just want to get playing!

However this is where alarm bells should be ringing. Accepting manufacturers’ default settings without reviewing or changing them can lead to a serious security fail – if you’re finding it quick and easy to access, the chances are it’ll be just as quick and easy for a cyber attacker. You might as well welcome them in with a cup of tea.

A disaster waiting to happen…

It’s not just leaving settings as default that can pose a threat. ‘Security misconfiguration’ covers a multitude of other sins too, from failing to apply updates or patches regularly, to forgetting to remove unnecessary functions or accounts, or poor password management. Security misconfiguration is reportedly one of the most common gaps that criminal hackers look to exploit - a 2018 report by Rapid7 claimed their penetration tests encountered a network or service misconfiguration in 84% of systems tested.

There are various ways malware can cat-burgle its way into your systems. The obvious route is via email, contained in a malicious file attachment, or accessed via an embedded link. Malware emails might be targeted at individuals such as finance personnel, or might circulate around your whole company: they can certainly be sophisticated and convincing in their nature.

All of which underlines that, amongst all the aspects we’ve looked at across our cyber security blog recently, establishing and actively maintaining the secure configuration of your systems should be regarded as one of the most vital.

When you’re setting up any new IT system or device - computers, other network devices, web servers or application servers – they should all be securely configured to your own baseline to stop attackers gaining easy unauthorised access to your data and systems. They should also be updated regularly, with all recommended patches applied immediately: according to BulletProof’s 2019 annual cyber report, 22% of the high and critical-risk issues reported consisted of missing patches, out-of-date or no longer supported software .
Steps to confident configuration

‘Secure configuration’ isn’t the overwhelmingly technical operation it might sound. Broken down into common sense steps and policies, it’s do-able for any size of business, and is a complete non-brainer when it comes to protecting your operations and data:

  • 1. Use supported software: It almost goes without saying, but always use recognised, approved and supported versions of operating systems, web browsers and applications. Not something you’ve bought from an unknown web vendor or Steve down the pub.

  • 2. Keep on top of updates and patches: You simply cannot let this one slip. Enshrine in policy when updates will be required and the timeframe in which they must be applied. Automated patch management and software update tools might be helpful. Also be sure to run regular vulnerability scans which could throw up weaknesses.

  • 3. Make an inventory: You need to know what hardware and software is being used and by whom right across your organisation. Capture the physical location, business owner and purpose of hardware and the version and patch status of all software. There are useful tools available to help identify unauthorised hardware or software.

  • 4. Ditch the default: Don’t risk the manufacturer’s default settings; manage your operating systems and software to your own configuration. Implement a secure baseline build for all systems and components. This baseline profile should be managed by a configuration control process and any deviation from the standard build should be documented and approved.

  • 5. Lose the excess baggage: There will be peripheral devices on your system that are never used, USB ports that are not necessary. There will also be user accounts that are defunct. Up your security right away by disabling any functionality that does not support a current user or business need.

  • 6. Be password-savvy: Change default passwords; protect against brute-force password guessing by limiting permitted attempts; set a minimum password length of at least eight characters; change passwords promptly if a user suspects they have been compromised; and write a password policy that all users must subscribe to.

  • 7. Compile a whitelist: It’s helpful to compile a list of authorised applications and software that should under most circumstances be executed no problem. However make sure you disable auto-run: you don’t want file execution willy-nilly without authorisation, even if the file has made the whitelist.

  • 8. Restrict user abilities and privileges: give people only the permissions they strictly need to fulfil their business role. Non-privileged users should never be able to install or disable software or services, and even privileged admins should have some constraints on their internet and email access to limit the risk of ‘spear phishing’ (targeting an individual known to have privileged access).

  • 9. Don’t expect people to mind-read: communicate your expectations around control and management of configuration by enshrining it in policy and making sure all your staff have read it and understand how it impacts their role. Keep it simply worded but covering all bases, and make sure it is followed routinely not just ticked as a box.

Following these practical steps should give you concrete confidence in your configuration; engineered to your specific business needs with some savvy security precautions, your system should avoid being the shoe-in a hacker might seize upon with glee.

Back To Blog Page