Anatomy of data breach in cloud generation

Reference Source securitymagazine Pushkar Tiwari is the Director  of Development at the Symantec Division of Broadcom.

In 2017, Gartner predicted that the public cloud computing industry would be worth $236 billion by 2020, as its demand, driven by the growing number of businesses recognizing cloud computing as a data center solution, seems to surge. And for good reasons. Cloud has proven to offer enhanced stability, security, flexibility, and cost-saving.

LogicMonitor’s ‘Evolution of IT’ report 2020 also shows that cloud migration has got big acceleration due to the pandemic. Cloud is taking the industries by storm and the stats about its adoption are interesting to know.

Some Incredible Cloud Adoption Stats

  • The public cloud service market is expected to reach $623.3 billion by 2023 worldwide.
  • 83% of enterprise workloads will be in the cloud by the end of 2020.
  • 94% of enterprises already use a cloud service.
  • 30% of all IT budgets are allocated to cloud computing.
  • 66% of enterprises already have a central cloud team or a cloud center of excellence.
  • Businesses leverage almost 5 different cloud platforms on average.
  • 50% of enterprises spend more than $1.2 million on cloud services annually.

Traditionally, in the on-premises world, the data is isolated and nowhere close to the internet, while in the cloud, the data is easily accessible through the internet. Cloud Migration has invalidated all the assumptions around data security that were valid for on-premises. It is extremely difficult for Information Security professionals to adapt their practices to rapidly evolving cloud environments, which is leading to cloud-based data breaches.

Data breaches in cloud are rising at a rapid speed

Data breaches targeting cloud-based infrastructures increased by 50% in 2019 as compared to 2018 as businesses shifted more of their confidential information to cloud, but misconfiguration and internal insiders’ threats increased the data breach risk, as per the 2020 Verizon Data Breach Investigations Report.

The rising cloud security concerns

Aberdeen, a research firm, has found that at least one in every three businesses loses its SaaS data. Cloud providers (SaaS & IaaS) assure the protection for downtime resulted from power losses, natural disasters, and application failures. It is a challenge to ensure data security in this dynamic environment.

Data breaches in the cloud are happening due to multiple factors like malicious attacks, well-meaning insiders, malicious insiders, stolen or compromised credentials, and misconfigurations. Cloud Data breaches are very evident in some major breaches like Capital One Financial Corporation, Verizon.

The data breach at Capital One financial corporation

Take one of the recent examples of cloud-based data breach, i.e. of Capital One Financial Corporation, that happened in July 2019. It resulted in a hefty fine of $80 million for the company, imposed by the Office of the Comptroller of the Currency. In this data breach, an ex-employee at Amazon Web Services illegally accessed the Capital One’s AWS cloud servers utilizing a misconfigured web application firewall and leaked the personal data of over 106 million customers.

The Data Leaks at Verizon

A similar incident was encountered in 2017 when Verizon fell victim to Cloud Data Leak that exposed millions of customers’ data. Almost 6 million of Verizon’s customers in the U.S. had their account details exposed, including the PINs.

Verizon’s data leak is attributed to a misconfigured cloud server that resulted due to a third-party provider that wrongly configured Verizon’s cloud-based file repository placed in an Amazon Web Services S3 bucket on NICE’s cloud server.

These are two of thousands of cloud-based data breach cases, raising concerns on the cloud security and data migration to this novel solution.

The key data breach sources

Malicious attack

As per Ponemon data  breach report 2020, malicious attacks is listed as the most common and expensive data breach cause: 52% Data breaches caused by malicious attacks. Malicious attack comprises various techniques like social engineering attacks, vulnerability exploits, malware infections etc.

Social engineering attacks

Social engineering is a non-technical strategy that cyberattackers use. It relies heavily on human interaction and often involves tricking people into breaking standard security practices. When successful, many social engineering attacks enable attackers to gain legitimate, authorized access to confidential information.

Vulnerability exploits

An exploit is a code that takes advantage of a software vulnerability or security flaw. When used, exploits allow an intruder to remotely access a network and gain elevated privileges or move deeper into the network.

Malware infections

Today, most malware is a combination of traditional malicious programs, often including parts of Trojans and worms and occasionally a virus. Usually the malware program appears to the end-user as a Trojan, but once executed, it attacks other victims over the network like a worm.

The case of Equifax data breach due to unpatched vulnerability

Equifax, one of the three largest consumer credit reporting agencies in the United States, announced in September 2017 that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data breached included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The vulnerability that attackers exploited to access Equifax’s system was in the Apache Struts web-application software, a widely used enterprise platform.

Well-Meaning Insiders

The Insider comes in many guises: the most common type includes those who are not aware of security policies, accidentally creating public share links, accessing unauthorized applications to increase their productivity. Well-meaning insiders do not have bad intentions but inadvertently causes a data breach due their negligence or outsider influence falling for a phishing scam or becoming the victim of blackmail, for example.

There are multiple instances where big enterprises inadvertently suffered data breach due to sharing public links to files in cloud storage applications like Box, One Drive, etc.

Inadvertent leak of sensitive information from Box by well-meaning insiders

Although data saved in Box enterprise accounts is fully private by default, the users can still share files and folders across, which makes data publicly accessible via a single link. Adversis found over 90 businesses with publicly accessible folders. Worse, many public folders were indexed and scraped by search engines, making the data to be found more easily. Companies lost sensitive data like SSN, passwords, employee list etc.  Accidental sharing of public links to files in the Box accounts led to the data leaks incidents in many companies including Amadeus, Apple, and Discovery.

Malicious insiders

Malicious insiders can be terminated employees, spy, former employees, contractors, or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data, or sabotage your systems.

Due to the pandemic, there are many layoffs already happening and more can happen. This is leading to disgruntled employees who can potentially be turned into malicious insiders. These employees who have left the organization may continue to have access to cloud service if access to cloud service is not revoked at the right time and they can misuse the access to steal sensitive information. Data leaks at Sage is a classic example of data leak caused by disgruntled employee misusing the access.

Case of data breach at Sage by malicious insider

As per ibtimes, the London Police arrested the employee of Sage, a UK technology firm, for a recent data breach that has exposed between 200 and 300 of its customers’ accounts. The 32-years old female employee was involved in “unauthorized access” on Sage’s computer systems that left data at risk. At the time of the incident, Sage did not stipulate the kind of data accessed. However, as per Financial Times, the employees’ information was used to access data on “between 200 and 300 companies.”

Cloud service misconfigurations

The 2020 Cloud Misconfigurations Report studied all of the data breaches publicly reported between 2018 and 2019 across the globe, finding that 196 separate data breaches were identified as having been definitively caused primarily by cloud misconfigurations.

Organizations are rapidly adopting cloud services provided by multiple cloud providers. Each cloud providers have multiple security configurations. The security configurations exploded with multiple providers and various security configurations with each provider. It is extremely difficult for security teams to learn and understand the complexities of security configurations in the dynamic environment involving multiple cloud providers. This leads to inadvertently making mis-configurations mistakes.

Common misconfigurations are:

  • Weak authentication of data storage
  • Carry over on-prem configuration as is to cloud
  • Misconfigurations of security policy on data storage items like AWS S3 objects, public S3 bucket, public share link etc.
  • Over Privileged accounts
  • Cloud administrators sometimes do not enforce strong authentication.

The cloud misconfiguration case at Verifications.io

Verifications.io, a self-described “big data email verification platform,” suffered a data breach exposing some 763 million records. The breach was discovered by security researcher Bob Diachenko, who worked with fellow researcher Vinny Troia to count the number of exposed records and identify who was exposing them. They say the trail quickly led them to Verifications.io, a site that offers an “enterprise email validation” service.

How to Keep Information Secure in Cloud?

Information discovery

Administrators should know what type of sensitive information is stored, where it is stored, what type access control configured, etc. It is impossible to manually track all the information types and their access configurations. Cloud providers have some native information discovery services, and there are third party security tools available that can provide real time monitoring of information stored in the cloud.

Discovery phase reveals all the types of sensitive information like PII, PCI, Intellectual Property HIPAA, sensitive keys, passwords, etc. Discovery can also reveal access configurations like public share links, collaborators etc.

Vulnerability management

Unpatched vulnerability is one of the biggest root causes of security breaches in the cloud. Administrators should establish good vulnerability management programs and practices. They can leverage native tools provided by cloud providers or third-party tools to discover vulnerabilities in the cloud deployments.

Proactively remediate security incidents

Security incidents are generated through discovery and active monitoring of cloud services. These incidents can reveal insights like:

  • sensitive information shared through public share
  • shared with external collaborators
  • in appropriate access configurations
  • no encryption
  • unpatched Vulnerability

These incidents should be proactively addressed by taking appropriate actions.

Leverage incident analytics tools

In cloud generation, information threat vectors are exponentially growing. Administrators need good incident analytics tools that can analyze security risk incidents from multiple vendors and generate key actionable insights for administrators. These analytics tools can apply modern machine learning techniques to detect malicious user and application behaviors and prevent them from leaking sensitive data.

Security best practices

  • Configure your cloud service accounts following best practices recommended by the providers like enable auditing, appropriate logging, default permissions, disabling root accounts, disable public sharing etc.
  • Follow the principle of least privilege for each account and workloads, and separation of duties for sensitive activities.
  • Extra protection is needed for high privilege accounts and proper access auditing for these accounts should be configured.
  • Periodic rotation of security keys. Rotation intervals can vary between 30-days to 12 months depending on sensitivity of the key. This is very effective if accidentally employees leaving the company have security keys or keys get misplaced or lost.
  • Use corporate identities and enable multi factor authentication to access cloud services. For example, organizations can use Identity management services to address this. This can prevent ex-employees from accessing services after they leave the company.
  • Active program for user education to ensure users are aware of security policies and best practices to keep organization information secure. Information security is incomplete without proper user education.

Conclusion

More and more companies are adopting the public cloud quickly because they need their speed and agility to be competitive and innovative in today’s fast-paced business landscape. The problem is, many of these companies are failing to adopt a holistic approach to security, which opens them up to undue risk. Secure cloud configuration must be a dynamic and continuous process, and it must include automated remediation. Security efforts and measures to guarantee confidentiality, integrity, and availability can be split in between those oriented to prevention and those liable for detection.