Starting in early April of 2017 the security community began to notice a series of data breaches associated with large and well-known organizations. These organizations all had one thing in common, and that was the use of poorly secured Amazon Web Service (AWS) Simple Storage Service (S3) buckets that were used to secure their data. These incidents occurred over a short period of time and surprisingly enough the organizations listed below were not the only ones that were left exposed. It was found that 7% of all Amazon S3 buckets allow unrestricted public access to their data, and 1/3rd of those are left unencrypted.
These numbers show that the misconfiguration of a cloud container can happen to anyone from army contractors to financial organizations resulting in the exposure of highly sensitive information including personal identifiable information, security credentials, and financial records of their clients.
|First Announced||Company||What was exposed|
|April 5th, 2017||Scottrade||20,000 customers’ personal information and security credentials|
|May 30th, 2017||Dow Jones||Personal information, emails and account information of confirmed 2.2, estimated close to 4 million customers|
|May 31st ,2017||Booz Allan Hamilton||(Top US defense Department contractor) exposed sensitive information of 90,000|
|July 13th, 2017||WWE||Exposed personal information of 3 million wrestling fans|
|July 13th, 2017||Verizon|
|(Nice Systems is a Verizon contractor) Claimed 4, estimated up to 14 million records in customer records and personal PIN|
|Aug 9th, 2017||Groupize||Close to 3000 documents containing full credit card information|
|Aug 12th, 2017||ES&S||(US voting machine supplier)|
1.8 million of personal information on American voters
|Aug 31st, 2017||TalentPen||(Cloud file hosted by AWS) Exposed 9400 of secret government applicants’ security clearancesSep 21st, 2017|
|Sep 21st, 2017||SVR Tracking||More than half a million customers records including security credentials, vehicle information, and location logs of vehicles|
How Were They Found
For each internet facing Amazon S3 instance that is provisioned, a non-private name and URL is provided in order to access this instance over the internet. Many believe if they simply do not tell anyone this URL it cannot be found, but in fact they instance will be detected and under attack within less than 10 minutes. There are threat actors on the internet that are constantly scanning the internet searching for systems that can be exploited. Once a system has been exploited by a threat actor, others begin to search for similarities in other systems that can be exploited in the same way. In the breaches mentioned above, that similarity was AWS.
Who Is Responsible
Anyone can easily deploy infrastructure within a cloud environment within a matter of minutes, but that does not mean it will be secure. The misconfiguration of access controls and security permissions is the most common reason data breaches occur within the cloud. These misconfigurations are typically due to human-error as those provisioning and managing these instances may not understand how security is applied within the cloud. Security concepts and controls cannot be deployed the same way within a cloud environment as within a physical network. While both can provide the same level of security, each much be configured in their own way in order to ensure either environment is well protected. An important point to note is that Amazon sets the default access settings to private for all new buckets, and there are few configurations that can override this setting.
The management of the cloud infrastructure and configuration of cloud security controls and settings are the responsibility of the client. They client may take this responsibility upon themselves, or hire professional contractors to manage their cloud environment. For example, Nice Systems which was contracted by Verizon to manage their S3 environment, as well as Booz Allen Hamilton (one of the top US Defense Department contractors). When outsourcing the management of your cloud environment to a third party the organization must ensure they have a clear and concise understanding of each parties’ role and responsibility to protect the organizations data.
What Can Be Done
The Cloud Environment can be an excellent solution for your organizations networking and infrastructure needs, but only if implemented securely. At InfoTransec we are dedicated to deliver the world’s best practices to our customers and provide them with information to securely implement, migrate or management or manage a cloud environment.