Data Pours from Cloud—And ‘The Enemy is Us’

Enterprises are grappling with widespread incidents of misconfigured servers leaking sensitive data to the public internet.

Accenture, Verizon, Dow Jones and Deep Root Analytics are just the tip of the iceberg when it comes to the millions of private records and sensitive enterprise data exposed on cloud backends this year. And the problem is getting worse not better.

“The enemy is us,” said Chris Vickery, director of cyber risk research at UpGuard. “We are bringing this on to ourselves.”

He said epidemic of unsecured private data stores in a majority of cases is caused by user misconfigurations on public cloud platforms such as Amazon Web Services, Microsoft Azure cloud services, IBM Bluemix and the Google Cloud Platform.

As of September 2017, IBM X-Force said 1.3 billion records tied to 24 incidents have been exposed to the public internet via misconfigured servers. Businesses are doing a better job at protecting against vulnerabilities such as SQL injections, X-Force said. “In its place, simple permission errors, API oversights and server misconfigurations have become even more pervasive,” according to  X-Force researchers.

“I’m seeing organizations moving to the cloud that just aren’t ready… Far too often in the rush to migrate, IT organizations turn into the Wild West, where no one really has control or visibility into the infrastructure,” said Jesse Dean senior director of solutions at Tetrad Digital Integrity.

Dean said it’s not just the frequency that is growing, but also the size of the data stores exposed, and also the impact to companies that leak the data.

Magnifying the problem is a rush to cloud adoption by businesses, Vickery said. “It doesn’t help that companies are rushing workloads and data to the cloud,” he said. “It’s certainly not increasing the security or decreasing the amount of publicly exposed data.”

Researchers at Gartner said cloud-computing services will grow 17 percent this year alone.

Bearing the brunt of the spotlight for misconfigured storage buckets is AWS, not because it’s more insecure than its competitors. Rather, because it represents the largest share of the cloud platform marketplace. According to Synergy Research AWS dominates the Infrastructure as a Service marketplace controlling 35 percent of the market in Q3 2017.

Now consider a report from by Skyhigh Networks that claims seven percent of AWS S3 storage buckets have unrestricted public access, and 35 percent are unencrypted.

That’s not to say the problem is exclusive to AWS. A lot of low hanging fruit has been plucked by hackers targeting misconfigured MongoDB and CouchDB databases and Elasticsearch repositories.

From December 2016 into the first part of 2017, the nonprofit GDI Foundation tracked close to 45,000 open MongoDB databases in which hackers dropped database tables or locked out legitimate users to extort a ransom payment. In a separate study by GDI in August, it tracked a second wave of these attacks, resulting in a wave of 26,000 locked databases.

Couple that with research by Kromtech Security Center that found in September thousands of insecure Elasticsearch clusters were hosting point-of-sale malware.  In January, Kromtech found thousands of MongoDB databases left unintentionally insecure by businesses.

“The problem is that companies just assume that these databases are secure,” said Zohar Alon, co-founder and CEO, Dome9. “That’s just not true.” He said phishing scams, man-in-the-middle attacks on corporate networks and carefully crafted search queries can expose S3 buckets that are assumed private.

Alon said researchers now hunt for insecure S3 storage buckets as if it were a sport or a competition. “S3 misconfigurations have been happening since the service launched in 2006. But now there are several scripts out there on GitHub that can be used by most high school kids to find leaky instances,” he said.

One site called DigiNinja offers a free tool called Bucket Finder. “This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect,” the site states.

For Vickery, who has been credited for discovering some of the biggest leaky AWS S3 storage buckets, Amazon’s own success is to blame for the target on its back.

“A few factors contribute to putting Amazon in the headlines more than others. For starters, Amazon’s naming scheme for S3 storage buckets is very easy to search for. Combine that with the fact the largest companies are using Amazon and there is going to be a lot of low hanging fruit.”

Knowing if data has been compromised is often hard to tell. “I don’t know how often the things that I find are also found by bad actors; it’s impossible to know. But I think it’s safe to say, if we are finding the data, the bad guys are too. They just don’t advertise the fact,” Vickery said.

As for Amazon’s part, it doesn’t bare a special responsibility in these attacks. Amazon explains AWS offers documentation and training videos, and its platform is safe. It adds it can’t be held responsible if its platform is misconfigured by a third party.

“I commend AWS for making it very clear to their customers that data security is a shared responsibility,” said Charles Goldberg with Thales e-Security. “It is customers that often forget that they are outsourcing their infrastructure, but they aren’t outsourcing their responsibility to implement secure architectures.”

S3 buckets are not public by default; developers have to choose that option for a bucket and have to write a policy to make every object public by default. “The key is to implement separation of duties so that even if a developer decides to make a bucket public they don’t have the privileges to do so,” said Vinay Wagh, head of product, Bracket Computing.

While cloud configuration errors are common, often companies or admins set access permissions for a vendor or solution provider outside of the company to see or manage the data. In the case of Verizon, 14 million customers had PII data exposed because a third-party contractor NICE Systems forgot to limit external access to an Amazon S3 server.

Despite the fact safeguarding AWS buckets is not the responsibility of Amazon, it has recently taken a more proactive approach. In August, Amazon introduced Macie, a service that helps companies figure out if their cloud implementation is misconfigured or is being accessed by a third party without authorization. In July, AWS urged customers via email to reexamine their S3 storage bucket policies and to ensure accounts didn’t inadvertently grant public access.

When it comes securing the cloud and protecting against leaks, experts such as Tetrad Digital Integrity’ Dean say it takes a layered approach.

“In terms of workforce, you can’t just turn your datacenter staff into AWS experts overnight. It takes time, effort, hiring new, and even rethinking your talent management strategy. Not everyone is going to make the transition. The FAA doesn’t allow a Cesena pilot to move directly to a flying a 747, it’s a process and matter of safety–it should be the same with your cloud workforce–one admin can inadvertently land a fortune 500 company on the front page,” Dean said.

Suggested articles