It was recently reported that 6 million Verizon customers were exposed to a data leak on Amazon Web Services (AWS). It was determined that Amazon was not at fault. Instead, users and contractors failed to properly configure and secure their Cloud accounts with AWS. This event highlights lessons learned for Small/Medium Businesses (SMBs) – especially, the need to engage competent and reliable IT contractors while properly training users when implementing Cloud and other IT solutions.
In the Verizon situation, subscriber records resided on an unprotected Amazon storage server that was controlled by an employee of a third-party customer services company hired by Verizon. Unfortunately, this was not an isolated incident. For example, early this month, unencrypted Personally Identifiable Information (PII) was leaked from a World Wrestling Entertainment (WWE) database hosted on an AWS server. Additionally, earlier this year, a contractor working for the Republican National Committee left a database with 198 million voters’ records exposed on the Internet for nearly two weeks.
Verizon’s contractor exposed phone numbers and PINs that enabled access to accounts associated with 6 million customers. The information could be downloaded by anyone with the easy-to-guess web address. The security mishap was caused by a security setting on a Cloud server that was misconfigured. The human error was that a security configuration was set to “public”, rather than “private”. Each record included the customer’s name, mobile number, and account PIN, along with their home address, email address, and their Verizon account balance. While some records were partially redacted, most were not. Anyone with access to the records could have theoretically impersonated a subscriber and been granted access to their account. According to Verizon, it believed customer information was not lost or stolen as a result of the issue.
The WWE data was accessible most likely due to a database misconfiguration, exposing PII associated with 3 million fans. The PII included information such as home addresses, email addresses, birth dates, customer ages, genders, education, earnings, and ethnicity. A failing of the database setup was that information was in plain text. Also, it was not protected through the use of usernames or passwords. According to those investigating the breach, most likely the misconfiguration was the responsibility of the WWE or an IT partner.
In the case of a contractor working for the Republican National Committee, detailed information was exposed such as ethnicity, religion, and political views. The information, stored by Amazon Web Services, was easily downloadable and vulnerable to malicious hackers. The breach was caused by an error in a system security setting that compromised password protection.
What Should Small/Medium Businesses Consider When Choosing Cloud Solutions
It is important to reiterate that the above AWS breach situations, by all accounts, were not due to Amazon issues – rather third-party contractors and users. In the way of background, AWS implements numerous security-related policies and procedures to help mitigate risks of a data breach for large enterprises as well as SMBs. However, IT partners and users must also maintain strict policies and procedures to properly protect data. The following are a few of AWS’s security-related activities:
- Data center and network architecture designed for high security
- Provisions for security penetration testing, vulnerability testing, and security simulations
- Published security advisories
- Use of security credentials to authenticate and authorize access to AWS resources
- Use of access keys to verify individual identity and application identity for access to AWS resources
- Issuance of guidelines for periodic auditing of security configurations
- Investigates all reported vulnerabilities.
- Encourages reporting of any suspicious activity
- Coordinates breach-related investigations between clients and third-parties
- Classification of vulnerabilities based on relative severity
- Coordinates public notification of validated vulnerabilities, as appropriate.
- Amazon offers training for businesses seeking to implement its cloud computing solutions
- Recommended data security-related practices and considerations for SMBs:
Security is not achieved simply by putting data or applications in the Cloud. Security is the result of a combination of people, processes, and technology.
Organization and user training along with defined business processes are needed.
- Organization and user training along with defined business processes are needed.
- Cybercriminals are constantly surveying the Internet looking for vulnerabilities and exposed databases – seeking to steal and sell valuable data.
- When hiring third-party IT contractors, SMBs are sharing access to sensitive business data. SMBs must ensure those contractors have a long track record of honesty, trustworthiness, and technical competency related to IT security.
- Many server data leaks are associated with common errors associated with configuring access controls. These errors can be caused by network administrators who do not follow strict rules related to AWS access control.
- Additionally, often network administrators enable user permissions to people who should not be authorized access to sensitive data.
- Negligence related to data protection impacts all sizes of businesses from startups to multi-billion-dollar enterprises.
- Implementing best practices for Cloud security is an ongoing learning process.
- Considerations include knowing who has access to applications and data, how can data management be monitored, and what procedures/systems are in place to ensure timely notification of security exposures.
- A first priority should be establishing a plan for implementing Cloud security. This should be following by implementation of controls and technology such as security monitoring hardware and software, along with defined business processes.
- In addition to network-based intrusion detection logging, host-based intrusion detection should be considered. Host-based detection expands the information gathered of actions that take place before, during, and after cyber attacks.
- Protect against insider attacks through monitoring and detection of unusual network activity, unauthorized installs, and abnormal login attempts.
- Understand the designated security responsibilities of the Cloud provider, as compared to the responsibilities of the organization using the Cloud services.
- Industry and regulatory compliance requirements should be understood and followed.
- Users must take responsibility for access control, monitoring, and audit logging.
Most security breaches occur due to credential theft, rather than sophisticated Cloud provider intrusions. Therefore, credentials that provide access to data must be properly managed by SMBs.
Techniques to proactively manage credentials include multifactor authentication, monitoring of login activity, and implementing a logging service at the host level.
In summary, Cloud solution providers, such as Amazon Web Services (AWS) can offer SMBs many operational benefits. Reputable Cloud providers include substantial and highly effective security protections. However often times data security breaches are the result of factors outside of the Cloud provider’s responsibilities. Consequently, security and compliance must be properly managed, as well, by third-party IT providers and users of Cloud services.SMBs implementing Cloud services, including those from large reputable providers such as AWS, must be aware of their responsibilities associated with utilizing highly qualified IT contractors and implementing appropriate security related processes, procedures, and training for their organization.
Let’s talk about your business network and cloud solution needs!
CALL NOW: (201) 493-1414 ext. 311
Our technicians and engineers are experts in the cloud and network security solutions. We help SMBs define and address network security needs, providing organizations with professional top-grade solutions. We help you decide what cloud and security services are mission-critical and help you choose from best available solutions and to what protection steps need to be taken to prevent a case of a misuse or a natural disaster, and to include damage control protocol into your organization’s data security policy and cybersecurity action plan.