Please focus on A5 -
Explain how you would mitigate.
Identify threat sources
An anonymous user, a user with less privileges entering system intending to perform higher privileged action, or an employee getting benefited without revealing his own identity may try to exploit security misconfigurations.
Identify events
default accounts being used to access, downloading unprotected files dues to misconfiguration, getting content authorized to a user of higher privileges, using a feature available due to misconfiguration, exposure of logs to user since they were configured to be created in wrong place, download code files and reverse engineering them, more detailed error messages be used by hackers, hackers exploiting server technology being exposed in the html source served to client machine and so on.
Identify Vulnerabilities
presence of default access accounts, presence of unprotected files, leaving misconfiguration which allows lesser privileged user to get more secured content/ function, presence of logs in public library or available outside server/without authentication, unnecessary ports being kept open/default ports being used, availability of code files to be downloaded, exposing error message in detail to end user, exposing server technology in headers or html rendered and so on.
Determine Likelihood of Occurrence
determine how much is the likelihood of exploitation of detected vulnerabilities.
Determine Magnitude of Impact
determine, for each exploitation, how much trouble an organization will be in.
Determine Risk
Establish risk based on impact and likelihood.
1. automate the process of installation, configuration and deployments using PowerShell or anything convenient available as per the system to avoid human errors (preventive, technical)
2. keeping test, QA, prod environment same and configured with same automated scripts, but passwords and user name should be different, alsousernames should not be obvious to guess (preventive, technical)
3. All software patches must be deployed, but after rigorous testing. establish robust communication channel from software providers to get alerts (preventive, technical)
4. robust architecture (preventive, technical)
5. Automated scans and penetration testing after every release (detective, technical)
6. Follow the product guidelines for system accounts, it also includes limiting their permission to prescribed level (preventive, technical)
7. make sure unnecessary functions, ports or protocols are disabled and default ports are not used(preventive, technical)
8. password used must be of legitimate strength. (preventive, technical)
9. Monitor application logs by admin and trusted dev (detective, technical)
10. Redo risk analysis triggered by 9.and 5. above.
Reference
1. https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
2. https://hemantrohtak.blogspot.com/2016/05/service-applications-in-sharepoint-2013.html
3. Shon Harris Book Page 1103 (Common software development weakness enumeration list)
4. Shon Harris Book Page 1109 (OWASP)
5. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf