Chapter 37 Β· Glossary

Misconfiguration Vulnerabilities Glossary

Key terms for the five misconfiguration categories tested on Security+ SY0-701.

Misconfiguration Vulnerability
A security weakness caused not by a flaw in software design or code, but by an incorrect or insecure configuration of a system, service, or resource. Misconfigurations are among the most common and most preventable vulnerability categories β€” they typically result from human error, default settings left unchanged, or configuration drift over time. They require no exploit technique: the vulnerability IS the configuration.
Open Permissions
An access control misconfiguration in which a resource β€” such as a cloud storage bucket, file share, or directory β€” is made accessible to more users than intended, including potentially the public internet. Open permissions require no credential theft or exploitation: if data is readable by "anyone," anyone can read it. The 2017 Verizon breach (14 million customer records in a publicly readable Amazon S3 bucket) is the benchmark example.
Amazon S3 Bucket
An object storage resource in Amazon Web Services. S3 buckets are private by default, but can be misconfigured to allow public read access β€” making any file stored in the bucket accessible to anyone on the internet who knows (or can guess) the bucket name. Misconfigured S3 buckets have been the source of numerous major data exposures, including the 2017 Verizon incident involving 14 million customer records left accessible by a third-party contractor.
Unsecured Admin Accounts
Administrative accounts that are inadequately protected, either through weak credentials, enabled default accounts, unrestricted direct access, or excessive account proliferation. The most targeted include the built-in root account on Linux/Unix systems and the built-in Administrator account on Windows. Because the usernames of these accounts are universally known, they are among the first targets in brute-force and credential-stuffing attacks.
Root Account (Linux/Unix)
The superuser account on Linux and Unix systems with unrestricted access to all files, processes, and configuration. A user logged in as root can modify any file, install or remove any software, and override any permission. Best practice is to disable direct root login (especially over SSH) and require administrators to use su or sudo to elevate privileges from a standard account, creating an audit trail and an additional authentication step.
Administrator Account (Windows)
The built-in superuser account on Windows systems with full control over the local machine. Like Linux root, the Administrator account's name is universally known, making it a high-value brute-force target. Best practice: rename or disable the built-in Administrator account; create separate named administrative accounts for specific users; require User Account Control (UAC) elevation for administrative tasks rather than running as Administrator directly.
su / sudo (Privilege Escalation Tools)
su (substitute user) allows a user to switch to another account, including root, by providing that account's password. sudo (superuser do) allows a specifically authorized user to execute individual commands with root privileges, authenticated by their own password. These tools allow least-privilege operation: administrators log in as normal users and only elevate when performing specific administrative tasks, rather than maintaining a persistent high-privilege session.
Insecure Protocols
Legacy network protocols that transmit data β€” including authentication credentials β€” in cleartext without encryption. An attacker with the ability to intercept network traffic (by controlling a network segment, performing ARP spoofing, or running a packet capture tool) can read everything transmitted over these protocols. Primary insecure protocols: Telnet (remote shell access), FTP (file transfer), unencrypted SMTP/IMAP (email). Replaced by: SSH, SFTP, HTTPS, IMAPS/SMTPS.
Telnet
A legacy remote terminal access protocol that sends all traffic β€” commands, responses, and login credentials β€” in plaintext. Once widely used for managing network devices and servers. Replaced by SSH (Secure Shell), which encrypts all communication. The continued use of Telnet for device management is a serious misconfiguration β€” anyone on the same network segment can capture and read every keystroke, including passwords entered during login.
FTP (File Transfer Protocol)
A legacy file transfer protocol that transmits authentication credentials and file content in cleartext. Like Telnet, FTP is completely transparent to any attacker with network access. Replaced by SFTP (SSH File Transfer Protocol, which tunnels file transfer over an encrypted SSH connection) and FTPS (FTP over TLS). Using FTP on any network β€” but especially over the internet or on networks with multiple users β€” is a misconfiguration that exposes both credentials and data.
DEFCON Wall of Sheep
A demonstration at the annual DEFCON security conference in which researchers monitor the conference network for cleartext authentication traffic, capture credentials transmitted over insecure protocols, and display the account names and partial passwords publicly on a large screen. The purpose is to make viscerally visible how exposed cleartext protocols are β€” even to security-aware attendees. At DEFCON 22, email addresses and partial passwords from IMAP and other cleartext protocols were displayed in real time.
Default Settings / Default Credentials
The factory-configured credentials and settings that hardware and software ship with. Default credentials (often admin/admin, admin/password, root/root, or device-specific combinations documented in vendor manuals) are publicly known and are compiled into automated attack tools. A device deployed with default credentials is effectively wide open β€” no exploitation required. Every device must have its default credentials changed before network deployment.
Mirai Botnet
A malware strain first identified in 2016 that targeted IoT devices (IP cameras, routers, doorbells, garage door openers, DVRs) using a hardcoded list of approximately 60 default credential combinations. Mirai scanned the internet automatically, logged into any device it could with default credentials, and added it to a botnet. The botnet was later used to launch record-breaking DDoS attacks. The source code was published publicly, making this attack technique available to anyone. Mirai established that default IoT credentials at scale are a critical infrastructure risk.
Open Ports and Services
Network ports that are actively listening for connections represent running services that may be exploitable. Every open port is a potential entry point. Firewall rulesets control which ports are accessible, but over time these rulesets accumulate rules for services that are started and never fully decommissioned β€” leading to open ports that serve no current business purpose but remain accessible to attackers. Periodic firewall audits are required to identify and close ports that should not be open.
Firewall Rule Creep
The gradual accumulation of firewall rules over time as new services are added and old rules are never removed. Each project, system, or vendor that needs network access adds rules. When those projects end or those systems are decommissioned, the rules typically remain. Over months or years, the ruleset becomes a complex mix of current and historical rules that no longer accurately reflects the organization's intended security posture β€” increasing the likelihood of unintentionally open ports and access paths.