Everyone’s favourite platform to pretend they understand to their techie friends!
Written in Conjunction with Information Risk Management Ltd and first published on their website at https://www.irmsecurity.com/resources/
Amazon Web Services and its system of “buckets” - has been plagued by a spate of recent high-profile data leaks of personal information from clients using its cloud services to host customer data.
So on a scale of one to Facebook, how bad are we talking here?
Well, before we go into that – we should probably cover what on earth AWS is and what a bucket is first.
AWS (Amazon Web Services) is one of the three major players in the cloud computing space (Microsoft Azure and Google Cloud Environment being the other two).
Essentially their purpose is that a company, instead of buying a bucket-load of servers and networking kit to perform the work that their company does, can just rent it from Amazon instead in the form of “building blocks”.
If you need computational power, then they have blocks for that. If you need database functionality, they have blocks for that too. If you need giant amounts of data storage, then Amazon has the S3 (Simple Storage Service) and its system of “buckets” for your troubles.
You can expand or contract the amount of infrastructure you rent from AWS dynamically based on business needs, and can host as much or as little of your business workflow up there as you so choose. Sounds great, right?
Nobody wants a hole in their bucket!
It is good! – and there’s a good reason that companies all around the world use cloud computing as a part of their systems architecture at some point in their workflow.
But like any good Health and Safety rule, the security guy is here to ruin the party by reminding you that cloud computing environments are far from bulletproof, fire-and-forget solutions to your system-based worries.
At their most basic form, a “bucket” is similar to a file folder on your personal computer, into which you can pour all of the things you wish to store on Amazon’s servers. Or to complete the metaphor loop, an actual bucket.
You can organise the files within however you wish, and instead of having to keep hundreds of hard drives, you can just rent more AWS buckets and storage space – a way more efficient use of your hard-won IT budget.
Plus, it’s a fairly intuitive way to access your critical data from wherever you can connect to it – hence why companies all over the world use buckets to store your data in.
Remote Access Problems
There are a few security worries with the move to using buckets to store their customer data.
Firstly, the very way AWS data storage works is kind of dangerous by definition.
You login or interact with a remote server over the internet to access your files and make adjustments and depending on how good your IT guy is – a misconfiguration could leave your bucket (and every bit of customer data within it) open to the world to see.
Normally , to pilfer your customer files, an attacker would at least have had to breach your internal network and find your data. With a bucket, however, all someone would need to do is find your S3 bucket address and get busy.
“How is someone going to find my bucket address, then? Security through obscurity, right?”, we hear you ask?
Well, disembodied voice, enter GrayhatWarfare (https://buckets.grayhatwarfare.com/)
Target Practice
GrayhatWarfare is a searchable, indexed database of buckets out there on the Internet, all configured to be public and waiting for someone to just go take a look.
The relentless march of technological progress isn't just making your job easier – its making pentesters, hackers, security researchers and criminals’ jobs easier too.
Recruitment firms both sides of the Atlantic and even a firm that performs robocalling operations for the US voting system have become victims to this bucket issue and have paid the price through a data breach.
Authentic Jobs (USA) and Sonic Jobs (UK) both had publicly accessible S3 buckets full of over 30,000 C.Vs breached this month with all of the personal information contained within them.
Robocent, a robocalling company that deals with voter information was another high-profile discovery of a firm using a publically accessible, misconfigured bucket that exposed the voter information of hundreds of thousands of voter details.
Robocent’s bucket was found to have already been found and indexed by other web services and worse, was found to be on GrayhatWarfare’s database.
There are other security worries that come with cloud computing – how tough the virtual environments are to break out of, how separate your data is kept from other customers’ data, what kind of access third parties (I.e Amazon) have to your data, compliance requirements – all that fun stuff.
But when you’re using a cloud computing service like Amazon’s (or any other) to store your customer’s data – you aren’t eliminating your risk by hosting it somewhere else, you’re essentially doubling it because now you have a system you can’t personally administrate holding mission-critical data.
You really can’t drop the ball by configuring your storage wrong and leaving it open for the world to see, especially when your bucket is self-titled – as it was in Robocent’s case.
It will be the first thing that a hacker does when conducting reconnaissance on a target – looking for publically accessible entry points exactly like these.
Mending Your Bucket
So what should a business do to use their bucket safely?
First off, really tightly assess what you’re storing in your bucket. If someone could access that bucket that shouldn’t, what’s your privacy/GDPR exposure?
If you can possibly not store customer data that personally identifies them there, then don’t.
If you really need to store your information in the cloud for architectural or business reasons, then pour time and resources into correctly structuring and configuring your bucket storage.
This means setting them to private and maybe even renaming them to something only the IT team know to add some misdirection to anyone conducting research on your company as a potential target.
Lastly, a solid recommendation would be to limit access to that bucket to only the people that need it,reducing the chances someone accidentally leaks details or leaves themselves logged in.
コメント