Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/14/2020
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

You're One Misconfiguration Away from a Cloud-Based Data Breach

Don't assume that cyberattacks are all you have to worry about. Misconfigurations should also be a top cause of concern.

Not all instances of data exposure in the cloud are the product of malicious intentions from either internal or external actors. In its "2019 Data Breach Investigations Report" (DBIR), for instance, Verizon Enterprise showed that errors constituted one of the top causes in the data breaches it examined. Verizon's researchers attributed 21% of those incidents to misconfigurations, which are now one of the most common ways by which digital criminals can gain a foothold into your infrastructure-as-a-service (IaaS) environment. 

Let's take a look at what misconfigurations look like in the cloud, why they pose such a security risk, and how you can avoid them.

What Is a Cloud Misconfiguration?
A cloud misconfiguration occurs when you have not configured a cloud-related system, asset, or tool properly. This improper setup may in turn jeopardize the security of your cloud-based data depending on the affected system, asset, or tool.

McAfee provided a list of such misconfigurations affecting Amazon Web Services (AWS) in its "Cloud Native: The Infrastructure-as-a-Service (IaaS) Adoption and Risk Report":

● EBS data encryption is not turned on.

● There 's unrestricted outbound access

● Access to resources is not provisioned using IAM roles.

● EC2 security group port is misconfigured.

● Publicly exposed cloud resources.

● EC2 security group inbound access is misconfigured.

● Unencrypted AMI is discovered.

● Unused security groups are discovered.

● VPC Flow logs are disabled.

● Multifactor authentication is not enabled for IAM users.

● S3 bucket encryption is not turned on.

As you can see, misconfigurations are the product of human error. This means that you can remediate misconfigurations by setting the configurations of your systems and tools to a more stable and secure state.

Unfortunately, this is easier said than done. This is especially the case if you don't think you're responsible for fixing misconfigurations in your cloud environments. As I noted in an earlier blog post, you might be inclined to think that your cloud service providers automatically cover all of your security needs. In reality, you are responsible for securing your customer data in the public cloud, securing your applications, and protecting your operating systems.

As a result, it's not surprising that 99% of misconfigurations flew under the radar of McAfee's survey respondents using IaaS. They were aware of about 37 incidents involving misconfigurations per month. But because they weren't looking for these issues or they didn't have tools capable of auditing configurations, they didn't realize that they were actually experiencing closer to 3,500 incidents each month.

Such lack of awareness translated into an inadequate response. Indeed, nearly a quarter of McAfee's survey participants said that it took them longer than a day to correct an IaaS misconfiguration. This gave adversaries plenty of times to abuse the misconfiguration for malicious purposes.

Why It's Important to Fix Misconfigurations
All of this brings us to an important question: Why is it important for you to fix a misconfiguration? What can a malicious actor do with a misconfiguration?

Misconfigurations themselves are one of the most common ways by which digital criminals gain a foothold in your IaaS environment. They often do this by leveraging compromised or weak credentials as a legitimate user. Other times, they exploit a vulnerability in software that's deployed in your environment.

From there, digital criminals expand their reach beyond the landing node to target other parts of your environment. For instance, they leverage privileges within the compromised node to access other nodes remotely, probe for improperly secured apps and databases, or simply abuse weak network controls. They can then exfiltrate your data while remaining under the radar by copying data to an anonymous node on the Web or creating a storage gateway to access data from a remote location.

Here are a few examples that illustrate how malicious actors capitalized on organizations' cloud misconfigurations to steal their sensitive information:

● Capital One: Paige Thompson, a 33-year-old Seattle resident and former AWS software engineer, exploited a misconfigured web application firewall to access a server owned and operated by Capital One. That server contained 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of customers' personal information. Thompson then attempted to share access to the information with others online, per CNN.

● Imperva: According to Threatpost, Imperva created an internal compute instance that was misconfigured and publicly accessible. That instance contained an AWS API key, a resource that enabled attackers to access a database snapshot and exfiltrate the information of some of its customers.

● CenturyLink: Security researchers found a third-party MongoDB database that was left unprotected on the web, reported SCMagazine. Upon taking a closer look, the researchers found that the database contained 2.8 million CenturyLink data records belonging to several hundred thousand of the tech company's customers.

Minimizing Misconfigurations in the Cloud
Per McAfee's survey, you can minimize the occurrence of misconfigurations in the cloud by training your security teams to understand cloud infrastructure at the same level as their DevOps counterparts. It also helps to build IaaS configuration auditing into your CI/CD process, preferably at the code check-in phase.

Invest in cloud-native security tools that allow you to monitor your networks for suspicious activity such as a malicious actor abusing a set of compromised credentials, moving laterally across the cloud environment, or attempting to exfiltrate information. [Editor's note: The author's company is one of many that offer such tools.] The key is to gain the necessary visibility of your environments, all without bogging you down with false positives.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Suresh Kasinathan has more than 20 years of experience in design, development, integration, and deployment of cutting-edge products in the areas of public cloud, storage, virtualization, and networking products. In his current role as a Principal Cloud Security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...