A colossal 12TB of data – including confidential intellectual property, penetration test results and other sensitive files in the cloud – can be pulled from exposed Amazon S3 buckets, rsync, SMB, FTP servers, misconfigured websites, and NAS drives, according to new research.
The “Too Much Information” report published by Digital Shadows on Thursday, found that 1.5 billion files were exposed across the internet’s most ubiquitous file sharing services. That includes 64 million files in the UK alone – the equivalent to one file for nearly everyone in the country.
Security Teams, Bow your Heads
Thousands of security audits (5,794), network infrastructure details (1,830) and penetration test reports (694) were among the files publicly accessible online.
The instances were blamed by Digital Shadows on poor security practices in file-sharing protocols.
“As organizations look to bolster their internal security programs with assessments and penetration tests, they turn to external consultants and suppliers. As these consultants backup and share their work, this highly sensitive information can become exposed,” report authors Rick Holland, Rafael Amado and Michael Marriott noted.
“These reports don’t have their intended effect when they’re made publicly available online for anyone to find”, they noted drily.
Bucketloads of Data
Amazon S3 buckets remain an ongoing culprit, the report notes.
(Amazon Simple Storage Service, or S3, is storage that is designed to make web-scale computing easier for developers. Buckets are the fundamental container in Amazon S3 for data storage – with each object typically stored and retrieved using a unique developer-assigned key. Privacy, in short, is set by default and careless use to blame.)
They added: “We have heard a lot about the exposure of S3 buckets and, while our research certainly found this to be a significant area of exposure, the amount of sensitive data exposed was far greater on other technologies, such as SMB, FTP and rsync.”
Continuous Monitoring Vital
Chris Wallis, CEO of continuous monitoring specialists Intruder, told Computer Business Review: “Exposing penetration testing and security audit reports is just one example of the things that can go wrong when you have accidentally misconfigured your computer systems and networks.”
He added: “Unfortunately it happens all too often and often exposes much worse than security information, such as entire customer databases. The best thing companies can do is ensure they have opted for continuous security monitoring services to find these misconfigurations and fix them before the bad guys get there first.”
Payrolls, IP, Source Code
Other sensitive data included medical files, confidential employee payroll (700,000) and tax return (60,000) files, as well as sensitive IP exposures.
“In one instance, we detected a patent summary for renewable energy in a document marked as ‘strictly confidential’; in another instance, we detected a document containing proprietary source code that was submitted as part of a copyright application. This had been uploaded to a public Amazon S3 bucket,” the report’s authors highlighted.
Some 64 million files were located specifically in the UK. The largest number of personal data files that were exposed came from medical records, at over 2.2 million. For IP data exposed, the largest area hit was source code at 95,434 files.
So what is the solution?
Dan Scarfe, Founder of global cloud solutions expert New Signature, told Computer Business review that the case emphasised the need for experienced partners.
He said: “From implementing necessary updates and maintaining your applications, to monitoring for threats and providing ongoing education opportunities, you need to make sure that you have complete cloud infrastructure management solution to ensure best practice and ironclad security. That lets you focus on what you do best and someone like us ensure that your IT infrastructure is operating successfully, securely and with ultimate efficiency.”
Organisations must do more to monitor services, in addition to focusing on training and awareness from employees and being more vigilant on authenticating files and accessing such files, as well as taking care when sharing resources.
As the report shows, product configuration by end-users is mostly to blame. Ongoing employee security training is clearly crucial.
With just over a month until GDPR comes into force, organisations caught out like this may start to feel the financial consequences.
With new research from law firm Fox Rothschild this week showing that more than a quarter of companies surveyed do not furnish any cybersecurity and data privacy reports to their boards of directors, there is clearly room for improvement.
“Such negligence is potentially disastrous. Board members should, at a minimum, receive quarterly updates on data security – and more frequently if something material changes – from an informed, qualified C-level executive who is fluent and
knowledgeable about cyber issues”, the report emphasises.