Investigating Operators' Perspective on Security Misconfigurations

Authors

Constanze Dietrich, Katharina Krombholz, Kevin Borgolte, Tobias Fiebig

Publication

Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS), October 2018

Abstract

Nowadays, security incidents have become a familiar "nuisance," and they regularly lead to the exposure of private and sensitive data. The root causes for such incidents are rarely complex attacks. Instead, they are enabled by simple misconfigurations, such as authentication not being required, or security updates not being installed. For example, the leak of over 140 million Americans’ private data from Equifax's systems is among most severe misconfigurations in recent history: The underlying vulnerability was long known, and a security patch had been available for months, but was never applied. Ultimately, Equifax blamed an employee for forgetting to update the affected system, highlighting his personal responsibility.

In this paper, we investigate the operators' perspective on security misconfigurations to approach the human component of this class of security issues. We focus our analysis on system operators, who have not yet received significant attention by prior research. Hence, we investigate their perspective with an inductive approach and apply a multi-step empirical methodology: (i) a qualitative study to understand how to approach the target group and measure the misconfiguration phenomenon, and (ii) a quantitative survey rooted in the qualitative data. We then provide the first analysis of system operators' perspective on security misconfigurations, and we determine the factors that operators perceive as the root causes. Based on our findings, we provide practical recommendations on how to reduce security misconfigurations' frequency and impact.

@inproceedings{ccs2018-security-misconfigurations,
  title     = {{Investigating Operators' Perspective on Security Misconfigurations}},
  author    = {Dietrich, Constanze and Krombholz, Katharina and Borgolte, Kevin and Fiebig, Tobias},
  booktitle = {Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS)},
  date      = {2018-10},
  doi       = {10.1145/3243734.3243794},
  edition   = {25},
  editor    = {Backes, Michael and Wang, XiaoFeng},
  isbn      = {978-1-4503-5693-0},
  location  = {Toronto, ON, Canada},
  publisher = {Association for Computing Machinery (ACM)},
  url       = {http://dx.doi.org/10.1145/3243734.3243794}
}