Last week Dow Jones, the business and financial news company that owns the Wall Street Journal, admitted that 2.2 million customers’ details were exposed due to an Amazon S3 bucket misconfiguration. They are not alone and follow similar mishaps reported by Verizon, World Wrestling Entertainment, and Scottrade. They all share a common root problem, user error that resulted in exposing the contents of their S3 buckets. There are now over one million authenticated AWS users and S3 misconfigurations are becoming all too common.
One may ask, how does this happen and isn’t this data not supposed to be publicly accessible? By default, these services are tightly restricted and not publicly accessible. However, the exposure occurs when organizations choose to grant public or semi-public access and in doing so, accidentally misconfigure their buckets, which can result in their data becoming exposed.
The data exposure was discovered by Chris Vickery, a researcher with the cyber risk team at security vendor UpGuard on May 31st, and notified Dow Jones on June 5. UpGuard shared that the vulnerability appeared to have been secured by the next day.
A Dow Jones spokeswoman confirmed the situation and made the public statement, “We were made aware that certain Dow Jones/WSJ subscriber and Risk & Compliance content was over-exposed on Amazon Cloud (not the open internet). This was due to an internal error, not a hack or attack. Exposed details included some customers’ names, email and mailing addresses, and the last four digits of their credit card numbers.” They did not share whether they planned to notify potentially impacted customers.
Human error is an all too often the root-cause of security errors that result in a data breach. Organizations can take some straightforward steps to mitigating risks and to keep their name out of this growing list of compromised companies.
S3 or bucket-using organizations can prevent user errors by applying the right policies, documenting, practices, AND putting monitoring in place to quickly detect issues as they arise.
Organizations should also have security controls in place to understand attack paths and put security controls in place to alert on attacker lateral movement as they look to conduct reconnaissance, steal credentials, and escalate their attack.
Defense in depth would also add offense-based security controls and add in decoys and deception. This would add trip wires for the attacker so that their presence would be quickly revealed as they look to engage with decoys or attempt to use deception lures.
These three basic steps will help any organization better protect themselves to not only nefarious actions but also to simple mistakes that we are all prone to make as the humans that we are.
To discuss best practices in today’s environment, please visit Attivo Networks at BlackHat 2017 this week, held at the Las Vegas Convention Center, South Hall Booth #454. While there, don’t miss our Altered Reality Deception Hall of Mirrors, offering attendees an opportunity to experience the role of deception in changing the game on modern-day human attackers.