The Nasstarian
Brought to you by

When Outside Hackers Meet the Insider Threat: The Challenge of Cloud Misconfiguration

In / By Phil Muncaster / 29 August 2019

At the end of July, Capital One admitted a massive data breach affecting an estimated 100 million US customers and card applicants, and millions more in Canada. So far, so normal: data breaches continue to occur with worrying regularity as we head through 2019. Except, it turned out that this one stemmed from a misconfigured web app firewall (WAF) running in the firm’s Amazon Web Services (AWS) cloud infrastructure. It represents the tip of a very large iceberg.

White hat researchers have been warning about exposed data stores on AWS and other platforms for years. But now the hackers are actively exploiting these mistakes in automated attacks. It’s no surprise that the Cloud Security Alliance (CSA) recently branded misconfiguration one of its top cloud threats of 2019.

It’s time to get serious about the threat of employee error and – if relevant – choose an MSP with a strong security background.

An Egregious Problem

The fallout from the Capital One breach is still ongoing, but it’s already being described as one of the largest ever incidents of its kind. The combination of misconfigured WAF and the firm’s error in allowing broader permissions than were necessary to access resources, allowed the attacker to exploit a Server Side Request Forget (SSRF) flaw to access the data.

Yet cloud misconfiguration is endemic. Over the past few months alone we’ve seen the exposure of 200 million Chinese CVs, details on 12.5 million Indian mothers, and 808 million records from an email validation firm. They happen across multiple platforms, from AWS S3 to MongoDB, Elasticsearch and others, but are united in the fact that sensitive customer data and IP is left open to anyone who can find the domain, with zero authentication.

The problem has become so pronounced that the CSA this month added it to a new “Egregious 11” list of top threats to the cloud. It’s getting worse as firms build out their cloud deployments across multiple platforms and vendors, the non-profit warned.

“Some common examples include unsecured data storage elements or containers; excessive permissions; default credentials and configuration settings left unchanged; standard security controls disabled; unpatched systems and logging or monitoring disabled and unrestricted access to ports and services,” the CSA explained. “Misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption.”

On the Radar

The problem is that such mistakes are not just being picked up by the white hats. Cyber criminals are increasingly scanning the internet using tools like Shodan to find exposed data they can hold to ransom or exploit in other ways. In August, news emerged of two ransom attempts where hackers have found exposed MongoDB databases and stolen data. One affected 700,000 Choice Hotels customers and the other more than two million customers of Mexican bookseller Libreria Porrua.

In fact, according to Gartner: “nearly all cloud attacks are the result of customer misconfiguration, mismanagement and mistakes.” And the hackers are getting increasingly creative in how they exploit such mistakes. Last month, a security vendor spotted a coordinated campaign which automated the discovery of exposed AWS S3 buckets, before injecting digital skimming code known as Magecart into any JavaScript it found. This series of attacks could have compromised websites linked to 17,000 domains including many in the top 2,000 of Alexa rankings, the firm said.

Time to Act

Things have become so bad that AWS reassured Senator Ron Wyden recently in the wake of the Capital One breach that it would “proactively scan the public IP address for our customers’ firewall resources to try and assess whether they may have misconfigurations.” However, IT leaders can’t rely on their cloud providers to do all the running. They must be more proactive if they want to mitigate risk effectively and satisfy GDPR regulators.

As the CSA advises: “this dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not yet mastered.” So, what must be done? Here are a few best practice tips:

  • Organisations doing this on their own would do well to restrict access controls along the lines of “least privilege”: this means only giving users the minimum set of permissions necessary to perform their daily tasks
  • Continual scanning for misconfigured resources is also recommended by Gartner and the CSA, plus real-time remediation of any issues discovered. Gartner recommends use of a Cloud Security Posture Management (CSPM) tool to support these efforts
  • IT admins should also get more familiar with the cloud platforms the organisation is using. AWS last year introduced a series of new improvements to reduce misconfiguration mistakes, for example. It also recommends the use of in-house tools Macie and GuardDuty to detect anomalies faster
  • Finally, if you outsource cloud management to a Managed Service Provider (MSP), this is the time to ensure they have strong security credentials. That means checking on their industry reputation, looking for certifications/accreditations, and ensuring they have strong processes in place for restricting privileges and detecting and remediating any misconfiguration mistakes. Due diligence has always been important in making the right decisions on which MSP to choose, but the threat posed by insider error adds a new urgency to the task.

If you are looking to become cyber-secure, contact us today. We can help to protect your business from ransomware or any other threats affecting your firm today. Alternatively, read our top 10 tips for improving your company’s IT security here.

New call-to-action

Phil Muncaster

Phil Muncaster

Phil is an internationally known technology writer, having regularly written for The Register, InfoSecurity and IT Week on the subject of technology, IT and security.

Comments powered by Disqus