In March 2023, data on more than 56,000 people — including Social Security numbers and other personal information — was stolen in the D.C. Health Benefit Exchange Authority breach. The online health insurance marketplace hack exposed the personal details of Congress members, their families, staff and tens of thousands of other Washington-area residents.
It appears the D.C. breach was due to “human error”, according to a recent report. Apparently, a computer server was misconfigured to allow access to data without proper authentication. Implementing authentication would have been something easy to accomplish. Instead, a door was left wide open for attackers to gain access.
Poorly configured web servers are all too common. In fact, a recent study from a firm that indexes internet-facing devices reported that over 8,000 servers hosting sensitive information are not properly configured.
Easy to Identify Data Exposure
A recent Censys report stated that “data exposures via misconfiguration remain a serious problem. We found over 8,000 servers on the internet hosting potentially sensitive information, including possible credentials, database backups and configuration files.” As per the report, these vulnerabilities were easy to identify, as they would be for even inexperienced threat actors.
Meanwhile, print management software developer PaperCut recently warned customers to update their software immediately. PaperCut makes printing management software utilized by companies, state entities and education. As per their website, PaperCut serves hundreds of millions of people from around the globe.
In a recent vulnerability bulletin, PaperCut said, “We have evidence to suggest that unpatched servers are being exploited in the wild.” Other reports of poorly managed Linux servers and poorly secured Interned-exposed Microsoft SQL (MS-SQL) servers have led to malware entry.
Other findings in the Censys report include:
- Over 1,000 hosts with over 2,000 SQL database files were exposed with no authentication requirements on the HTTP services themselves
- More than 18,000 CSV files were publicly exposed on just 147 hosts
- Over 5,000 hosts had over 5,000 exposed files and directories, indicating they are related to a backup.
Based on its findings, Censys states that vulnerable hosts aren’t only servers with outdated and exploitable software. Vulnerabilities can arise from various sources, including errors in judgment, misconfigurations and rushed work. The firm says a quick and easy solution today may prevent a severe data breach tomorrow.
“The often unglamorous work of asset, vulnerability and patch management is critical for helping reduce an organization’s attack surface. The security issues we’ve explored in this report aren’t a result of zero days or other advanced exploits, but rather misconfiguration and exposure issues that are likely a result of simple mistakes or configuration errors,” Censys noted.
Fixing Servers that Lack Authentication
If a computer server was misconfigured to allow access to data without proper authentication, the following steps can be taken to fix server issues:
- Shut down the server: The first step is to immediately shut down the server to prevent or halt unauthorized access to the data.
- Investigate the scope of the issue: Once the server is shut down, evaluate the extent of the problem by examining log files, system configuration files and other relevant data to determine the extent of unauthorized access, if any.
- Identify the root cause of the problem: Examine the server configuration files, software settings and security policies. Determine whether the misconfiguration was due to a human error, software flaw or something else.
- Correct the misconfiguration: Once the root cause has been identified, correct the misconfiguration by updating the server configuration files, software settings or security policies. This may involve reconfiguring access controls, updating software or installing security patches.
- Test the fix: After correcting the misconfiguration, test the fix by attempting to access the data without proper authentication. Verify that the fix has been successful and that the data is now secure.
- Monitor the server: After the fix has been implemented and tested, monitor the server to ensure that it is functioning properly and that no further security issues arise.
- Review security policies and procedures: Lastly, review security policies and procedures to ensure they are adequate to prevent similar security issues in the future. You may need to provide additional training to employees, review access controls or implement new security technologies.
How to Secure Your Server
Securing web servers is required to reduce the risk of unauthorized access and data breaches. Here are some steps you can take to enhance the security of your web server:
- Keep server software up to date: Make sure to install the latest security patches and updates for your web server software, as well as any related software components (such as databases and scripting languages).
- Use strong authentication: Require strong passwords and two-factor authentication for all user accounts. Use SSH keys instead of passwords for remote access.
- Limit access: Limit access to the server to only those who need it. Use firewalls and other access control mechanisms to block unauthorized access.
- Secure file and directory permissions: Make sure that sensitive files and directories are only accessible to authorized users. Set file permissions to “read-only” for non-essential files and directories.
- Use encryption: Use SSL/TLS encryption for all communication between clients and the server, and encrypt sensitive data stored on the server.
- Monitor server logs: Regularly monitor server logs to detect suspicious activity. Use intrusion detection systems (IDS) and other security tools to identify and respond to potential threats.
- Back up regularly: Regularly back up your server’s data and configuration files and store backups in a secure location.
- Implement security policies: Establish and enforce security policies and procedures for your organization. Educate employees and users about best practices for web server security.
Don’t Leave the Door Open
There certainly are a number of highly sophisticated cyber intruders out there. But many data breaches are the result of simply leaving the front door unlocked. Due to human error, mistakes can lead to the exposure of large amounts of data on a server. The problem is the lack of simple security measures, such as authentication, authorization or filtering. But this is good news since obtainable fixes can improve server security substantially.