In the wake of the devastating WannaCry and NotPetya ransom-ware attacks, it was hard to imagine anymore negligence in the IT world. But, just a few short weeks later, security researchers found misconfigured servers and bad defaults, coupled with simple IT errors that exposed hundreds of millions of users’ personal information. Where did they find this information? Amazon. Yes, Amazon – the web service known for securely
loading, storing, and moving large amounts of data.
A Bit of Background
Amazon S3, part of Amazon Web Services (AWS), provides utility storage for a variety of web apps. S3 is cost effective, globally available, massively scaled and has essentially transformed the storage industry. S3’s architecture allows users and applications to access data in a seamless and efficient manner. To use S3, you define “buckets” where you want to store data and each bucket gets its own URL. When a bucket is created, the default sharing permissions are set to private, meaning only the account owner that created the bucket can access it. But data is meant to be shared, so Amazon lets the user extend access to others by defining identity and access management policies.
There are different levels at which permissions can be set, providing flexibility to users; however, many users are not configuring permissions to their buckets correctly, leading to misconfiguration insecurity. A contributing factor here may be the method for managing bucket permissions is not as intuitive as it could be. Within the Web Services console, the only other sharing option available is “Public,” an option that Amazon tags as “Not Recommended.”
Why is this so bad?
Some of the world’s largest companies are experiencing massive data breaches:
- Scottrade – Exposed sensitive loan applications of roughly 20,000 customers, containing account passwords in plain text, names, addresses and social security numbers.
- Republican National Committee (RNC) – Exposed almost 200 million records with personal data of U.S. voters, including names, birth dates, addresses, voter registration details and social media posts.
- World Wrestling Entertainment (WWE) – Exposed 3 million personal records of wrestling fans, including home address, earning and ethnicity
- Verizon – Exposed records of about 14 million customers – each included a name, phone number and account PIN.
- Dow Jones – Exposed 2.2 million customers’ data, including names, addresses, account information, and last four digits of credit card numbers of some subscribers.
Breaches of this size, with buckets holding a large collection of sensitive information, can be catastrophic.
Who is to blame?
Both user error and Amazon share blame for the series of cloud data leaks. Imagine leaving your house and not locking the front door. Sure, a burglar holds some of the blame if you get robbed, but perhaps you should have taken a little more care in securing the house. IT administrators need to take more precaution when setting permissions to ensure that systems and data are appropriately protected. Reviewing bucket permissions before setting the permissions would be a step in the right direction.
Due to the number of careless mistakes, though, Amazon has to accept some of the blame. They followed up with a security alert for S3 users warning them of the issue and encouraging them to review bucket permissions. It does raise awareness, but doesn’t solve Amazon’s weak configurations. It also won’t prevent IT admin from taking a shortcut or an outsider from discovering vulnerabilities.
Corporate Awareness Required
The possibility of an outsider uncovering company data should be the most important thing on IT’s mind. Defining checks and balances, identifying weaknesses, running vulnerability scans to validate settings are best practices. They should be performed before and after a service is published or configuration is made. If you don’t have confidence in your IT department to implement best practices, then you need to start giving marching orders.
These breaches will undoubtedly be topped in the future if the mindset of cyber resiliency across all platforms doesn’t become standard.
Learn about other security issues affecting businesses to help raise awareness: