UpGuard Director of Cyber Risk Research Chris Vickery came across an Amazon Web Services S3 cloud storage bucket within the AWS “inscom” subdomain, and set to public, on September 27. The main repository contained 47 viewable files and folders; three were downloadable and confirms the contents “highly sensitive nature,” according to an UpGuard blog post.
“The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.
“The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location,” the post said. “While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket.”
“Over the past month we have seen a number of enterprise organizations fail because they inadvertently did not configure existing security controls properly,” said Carl Wright, chief revenue officer (CRO) at AttackIQ. “This is called a protection failure and indicates that these organizations are doing little, to no testing to validate that existing security controls are working properly.”
Organizations assume a “infinitesimal cost to validate” security controls “compared to the cost of a data breach,” said Wright. “It is a disturbing state of IT and security management when the attackers are routinely able to find protection failures before corporate or government security teams.”
Technology advances have leapt ahead of security, creating gaps for organizations.
“The market's investment in services and tools to automate business processes without incurring heavy maintenance costs has outpaced investment in the methods to secure them,” said Threat Stack CSO Sam Bisbee. “Sometimes it's safer to bring commoditized systems that are likely to leak sensitive information, such as log aggregation, into your own environment since they have become to cheap to maintain.”
Bisbee said that the proliferation of services like GitHub and AWS S3 should drive organizations of all sizes to “understand whether the services they use to store data are in fact risk-appropriate for the type of data they put into them.”