It was recently reported by the media that fully 7% of all Amazon S3 servers are left exposed, allowing "public access" and resulting in several recent data exposure incidents. Open Amazon S3 server vulns are reported to be behind major data leaks where PII has been exposed, including: Viacom, Booz Allen Hamilton, WWE, Time Warner, Nice Systems/Verizon, Deep Root/GOP, Talent Pen/Tiger Swan.
In response, security experts with NuData Security, VASCO Data Security and Virsec Systems, Robert W. Capps, Vice President, Business Development, NuData Security, says: "We’ve seen a major escalation in high-profile events where personally identifiable information (PII) and other sensitive information has been left exposed on an unsecured server. The fact that so many organizations misconfigure access and security of these critical data storage methods in a trusted hosting service, is yet another reason why consumer data is so freely available to cybercriminals through the Dark Web and other channels. Such information is used to create synthetic identities, or even impersonate legitimate consumers, to perpetrate account takeovers, and secure fraudulent new lines of credit.
“The fact that so many organizations are made vulnerable through misconfigurations, such as we've seen with S3 buckets, clearly illustrates why it’s time for every organization that’s entrusted with personal data to take more effective steps to secure their servers. They must also better protect consumer data by adopting more effective technologies such as passive biometrics and behavioral analytics – which together let companies identify users through methods that can’t be bad actors. Until PII data is rendered worthless by such advanced authentication, consumers will continue to be placed at unnecessary risk.”
Willy Leichter, VP of Marketing, Virsec Systems thinks: It’s far too easy in most organizations for anyone to fire up a server on Amazon, and leave it in a default, unprotected mode. Most enterprises have strict rules on who can setup a physical server, but with AWS it’s wide open. IT security teams need to regain control and treat any server – physical or virtual, and a sensitive asset, monitoring security settings, validating applications, and ensuring compliance.
Christian Vezina, CISSP, CISA, CISM, CRISC, CIPP/US, CIPT, Chief Information Security Officer, VASCO Data Security, adds: "All data breaches have something in common: let’s call it human oversight. Whether it’s going too quickly through emails and clicking on a phishing link by mistake, or forgetting to enable an important security setting, the human is the weakest link in the proverbial security chain. Amazon Web Services (AWS) is falling victim to its own success. Making it so easy for everyone to spin up their own servers somehow removes one entry barrier: technical savviness. Going cloud is relatively simple, but one needs to make the shift from their old paradigms. Seasoned system administrators would usually be able to navigate complex settings and build secure systems in the cloud. Less experienced staff, or staff under pressure to deliver working systems, may however forget a critical setting in the process, thereby exposing thousands, or even millions of records. If the information is out there and ready to be discovered, don’t solely rely on security through obscurity. It’s just a matter of time before someone figures it out. If you are hosting data on the cloud, take the time to configure your systems securely – and encrypt your data."