Published on the 08/11/2021 | Written by Heather Wright
They’re still causing drama, but they can be prevented…
Organisations are continuing to make it easier for cybercrims, with cloud misconfiguration ‘missteps’ – most often the result of a simple mistake as opposed to malicious action – continuing to leave businesses vulnerable to data disclosures. It’s an area that has plagued security teams for years, with data exposures regularly making the headlines, and while it might have declined somewhat, the 2021 Cloud Misconfigurations Report from cybersecurity vendor Rapid7 shows it remains an ongoing problem.
Rapid7 identified 121 publicly reported data exposure incidents disclosed in 2020 and identified as being caused by cloud misconfigurations. And the most common offenders?
The report notes misconfigured permissions on AWS buckets and internet-facing Elasticsearch servers were the most common type of exposure reported, accounting for accounted for 25 percent and 21 percent respectively of reported incidents.
Misconfigured permissions on AWS buckets and internet-facing Elasticsearch servers were the most common type of exposure.
“This isn’t surprising, given how easy it is for any individual to discover these services via easily accessible services,” the report notes.
As to the number of records exposed, the report says median data exposure was 10 million records, though one ‘mega breach’ resulted in the exposure of over ’20 billion with a B’ records.
Most of the exposures were unintentional and addressed quickly, the report notes – 62 percent of cloud misconfiguration incidents reported by security researchers trawling for unprotected cloud S3 buckets and unsecured databases.
“While some misconfigurations are due to human error or caused by the assumption that software components come with safe defaults, many are deliberate choices to make it easier to access a given resource.”
AWS S3 file/object buckets and Elasticsearch databases were favourites for both attackers and researchers counting for nearly 45 percent of misconfigured and compromised technologies.
Google Cloud, Azure Blob, Akamai CDN and NAS also featured, but in far smaller numbers.
So what’s a company to do?
The report says there are concrete steps companies can and should, take to prevent themselves being on next year’s misconfigurations list.
“First and foremost, you should now be keenly aware that there are individuals actively seeking out cloud service misconfigurations on a daily basis. Given the right tooling, it’s almost trivial for any moderately clever person to hunt for these cracks in the cloud at scale and they don’t even need to be targeting your organisation specifically to come across that unintended misconfiguration which ends up exposing sensitive data in your care,” the report notes.
Simple planning – knowing what you’re exposing and what safe and resilient configurations should be in place – and automation to monitor configurations and alert and remediate errors, will help avoid the potential for negative headlines.
The report says companies should prioritise the adoption of a new model of security that provides continuous enforcement of controls and ensures secure configurations of all cloud services.
But be warned: It’s not a ‘set and forget’ task, with the report cautioning that all current and new cloud resources need to be monitored and have policies enforced continually to avoid even a temporary exposure of these often dynamic environments.
And don’t forget the potential for the past to come back to haunt you if malicious hackers did happen to see that errant configuration left exposed for just a day several years ago. “While you need to shore up your present-day cloud-based services, you should ensure there is an entry in your incident response tabletop exercise playbook for practicing how you would respond to a modern-day dump of a years-old incident.”