Two more misconfigured databases exposing the personal details of thousands of people were disclosed late last week.
The Maryland Joint Insurance Association (MDJIA, with offices in Ellicott City, MD) left internet access to a data repository of customer files containing information such as customer names, addresses, phone numbers, birth dates, and full Social Security numbers; together with financial data such as check images, full bank account numbers, and insurance policy numbers. Also exposed were MDJIA access credentials for ISO ClaimSearch, a third-party insurance database containing ‘tens of millions of reports on individual insurance claims’ for industry professionals. The problem was a NAS server with an open port 9000.
Paris-based Octoly, a brand marketing firm, left open internet access to an AWS S3 bucket. This contained details of its IT operations, including sensitive personal details of more than 12,000 social media influencers used in its marketing campaigns. The details include the real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates, together with thousands of hashed passwords.
Both misconfigurations were discovered by Chris Vickery, the director of cyber risk research at UpGuard. Researcher Vickery has discovered numerous misconfigurations providing open access to sensitive, often personal, information over the last few years. Examples include details of 191 million U.S. voters, nearly 1.4 billion user records exposed by known spammers, and sensitive military data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) left exposed by contractor Booz Allen Hamilton.
None of these misconfigurations require any hacking effort or skill to exploit, merely a computer with internet access. If a white hat researcher such as Vickery can find them, potentially any malicious actor could also find them with disastrous results. The question then is, why do misconfigurations, rated #6 in the OWASP top ten threats list, happen so frequently – and what should organizations do to prevent them?
Bryce Carlen; CIO at Washington State Department of Commerce, notes that MDJIA is a small organization with minimal – if any – dedicated IT staff. He warns that there may be many more small organizations in a similar position. “If this is as small an organization as it appears to be, then all of this is no real surprise. If you only have the budget for one or two IT staff or contractors, it’s likely you’re not going to have dedicated security staff or deep security expertise in the generalists you have working for you.” The problem, he added, is that small organizations don’t understand the risks until after a cybersecurity event, because protecting data is not part of the core business based around using that data.
The Octoly incident is similar to many other examples of exposed AWS S3 buckets. “Every time I look at the AWS control panel, it seems like there are new services available, each of which comes with new settings and configuration switches. It’s especially tough when you layer that on top of the constantly evolving job of securing your on-prem environment against shifting threats,” Carlen said.
He fears that the cloud is simply increasing ‘security fatigue’, leading to simple errors. “It’s one of the things that frightens me about the cloud. There are a bunch of what appear to be otherwise competent organizations making a big mess with cloud configuration settings.”
Randy Potts, information security leader at Real Time Resolutions, Inc, believes the problem is still a missing ‘culture of security’ in many organizations. “Both of these incidents [last week] happened because the person that deployed them did not think about the bad actors. They only think about giving access to the people that need it, not preventing access from those that should not have it.”
He believes that it is the continuing point of tension between IT and information security. “IT is measured by uptime and functionality, but information security is measured by controlling access to data. From the IT perspective, information security risks breaking access and harming functionality.” He believes that IT personnel need to understand security better: “They need to respect that while not taking that extra step may save time now, it can have a serious impact to the organization later.”
But the problem goes beyond just IT and security into the entire corporate culture; that is, “the moral obligation that everyone handling sensitive information has to the people that correspond to that PII.” That includes the business owners as well as the IT staff and the security team.
This is a theme agreed by Graham Mann, managing director at CyberSpace Defence Ltd. “Management must shoulder their portion of the blame because they simply do not attach sufficient importance to security,” he says. He believes it is an area that can be addressed by legislation – indeed, it has already been addressed by the EU’s General Data Protection Regulation (GDPR).
“GDPR specifically addresses the issues outlined in these so-called misconfiguration problems,” he told SecurityWeek; “and had Octoly happened five months later, they would now be facing a significant fine. Moreover, given the closeness of GDPR, it’s somewhat amazing that Octoly hasn’t yet put measures in place to avoid such catastrophes.
“Misconfigurations are entirely feasible and easy to make when you are rushing to implement a device or making seemingly innocuous modifications to existing devices,” he continued. “Most IT administrators probably never consider the implications or consequences of making such errors. That’s why you need to consider the potential repercussions in advance (as specified in GDPR); you need to undertake a risk analysis on everything you do — what could go wrong and what can we do to ensure any errors are mitigated. This is where management are critical: the involvement of security must be supported from above.”
Security researcher and consultant, Stewart Twynham, goes one step further. He believes the gaps between IT and security can be closed by treating both as aspects of corporate governance. “Professional IT people are under constant pressure to get things done, which is why security should be treated as a governance issue as well as an IT one,” he suggests. “Without those checks and balances (have we carried out the due diligence? do we fully understand the technology? do we understand the risks? do we have a process in place to continuously review what weíve set up?) mistakes like this will continue to happen.”
In short, misconfigurations will continue to occur while the pressure on IT to react instantly to business requirements goes unabated. Any alteration to the IT infrastructure should involve the security team before implementation. But this will require senior management to own the problem under an overarching corporate governance regime – and when that happens, misconfigurations will be less common.