A recent study by SkyHigh Networks found 7 percent of all Amazon S3 servers are exposed which may explain a recent surge of data leaks in the last few months including the information on 198 million American voters, 14 million Verizon customers, and several Viacom networks to name a few.
Researchers at Skyhigh Networks told Bleeping Computer that in most of these cases companies, via their staff, left buckets of data configured to allow “public” access meaning anyone with a link to the S3 server could access, view, or download its content.
Threat actors can easily find these public buckets and there is even open source software on GitHub that can simplify the search for vulnerable servers. In order to ensure information is secure, companies should make sure they fully understand their server's permission level and review Amazon's recommendations for managing access to servers.
“We've seen a major escalation in high-profile events where personally identifiable information (PII) and other sensitive information has been left exposed on an unsecured server,” NuData Security Vice President of Business Development Robert W. Capps told SC Media. “The fact that so many organizations misconfigure access and security of these critical data storage methods in a trusted hosting service, is yet another reason why consumer data is so freely available to cybercriminals through the Dark Web and other channels.”
Capps added that until personal identifiable information can be rendered useless, consumers will be at an unnecessary risk and that companies should adopt passive biometrics and behavioral analytics to better secure data.
It's very easy for someone to fire up a server on Amazon to store company information on it and just leave it in a default, unprotected mode Virsec Systems Vice President of Marketing Willy Leichter told SC Media.
“Most enterprises have strict rules on who can setup a physical server, but with AWS its wide open,” Leichter said. “IT security teams need to regain control and treat any server – physical or virtual, and a sensitive asset, monitoring security settings, validating applications, and ensuring compliance.”
VASCO Data Security Chief Information Security Officer Christian Vezina agreed saying all data breaches have an element of human over site in common adding that AWS may be turning into a victim of its own success by making it too easy for anyone to set up a server.
Amazon has effectively removed an entry barrier of technical savviness and now because it is so simple, there needs to be a change in paradigms to compensate, Vezina added.
“Seasoned system administrators would usually be able to navigate complex settings and build secure systems in the cloud,” Vezina said. “Less experienced staff, or staff under pressure to deliver working systems, may however forget a critical setting in the process, thereby exposing thousands, or even millions of records.”
Vezina added that companies should take the time to configure their systems securely and encrypt their data If and when hosting data on the cloud.