New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!

Firewall Misconfiguration

4

VSR

6.0 – 7.9

CVSS

High

Risk

OS-CFDB-1002

ID

Finding MITRE ATT&CK Corelation

Name Tactic ID Link
Exfiltration Over Command and Control Channel Exfiltration T1041 https://attack.mitre.org/wiki/Technique/T1041

Finding Metadata

Finding Service(s)

Service
Internal Penetration Testing
External Penetration Testing

NIST 800-53 Control(s)

NIST
SC-32
SC-7

Finding Development

Author Name Twitter Handle Email Created Updated
Alexander Rymdeko-Harvey @Killswitch-GUI 09/27/2017 09/27/2017

Technical Information

Description

The technical overview of a finding, not meant to be all-inclusive.

Firewall misconfigurations are most likely to occur during security change processes – that is, when new rules are added, or existing ones changed or removed on a firewall. When a firewall rule is added that is over permissive it may allow an attacker to target specific machines to gain access to a high-security environment. In some cases, rules will be added when the organization accepts the risk.

Impact

How a finding result will affect an organization.

If a rule is exposed or discovered by an attacker, they may have the ability to subvert in place security controls. This could lead to cross-boundary lateral movement and compromise of high-security environments which were believed to be secure.

Recommendation

Current plan of action recomended.

To effectively mitigate against the risk of device misconfiguration an organization needs to implement proper change management processes. This process should allow stakeholders to understand the risk of the configuration. If business requirements require acceptance of a risk, an audit should be conducted to ensure all rules are still applicable.