By Jonathan Maresky, Cloud Security Expert, Check Point Software
Over the course of 2020, according to Canalys’ recently published review of cybersecurity, there were more data breaches than in the prior 15 years combined. More than 300 reported breaches occurred, leading to the theft and exposure of 31 billion data records (up 171% over 2019).
It’s clear that the COVID-pandemic played a notable role in the dramatic increase in cyber attacks. Across many organizations, the shift to remote work created significant security challenges and a highly distributed offsite workforce suddenly became an ideal target for social engineering threats.
Despite the fact that spending on cyber security grew by 10% during 2020, this increase fell far short of accelerated investments in business continuity, workforce productivity and collaboration platforms. Meanwhile, spending on cloud infrastructure services was 33% higher than the previous year, spending on cloud software services was 20% higher, and there was a 17% growth in notebook PC shipments.
All in all, 2020’s cyber security spending failed to keep pace with digital transformation, resulting in even greater gaps in organizations’ abilities to effectively address the security challenges introduced by public cloud infrastructure and modern containerized applications: complex environments, fragmented stacks and borderless infrastructure, not to mention the unprecedented speed, agility and scale. For an in-depth discussion around cloud security challenges, with or without a pandemic, see our whitepaper Introduction to Cloud Security Blueprint.
In this thought leadership piece, we explore three of the biggest cloud breaches of 2020, where “big” does not necessarily refer to the number of compromised records, but instead speaks to the scope of the exposure and potential vulnerability. See how these monumental breaches happened and get insights that can help you improve your organization’s security.
1. Misconfigured Internal Database
In January of 2020, Microsoft disclosed a cyber security event that involved an internal support analytics database. A change to the database’s network security group, on Dec. 5, 2019, introduced misconfigured security rules. Consequently, 250 million support case records experienced compromise. Exposed information included email and IP addresses along with support case details.
After the incident, Microsoft informed customers that the breach did not expose any commercial cloud services, and in the majority of instances, the data was automatically redacted to remove personal information. Nonetheless, any loss of customer data has serious ramifications, such as giving threat actors a wealth of information for future phishing expeditions. The incident response team at Check Point Software (CPIRT) has previously observed a large volume of successful phishing attacks with mission-critical pretexts, such as “New voice mail: Unable to obtain resources” or “Your IT Support Mailbox is Full.” In terms of this specific breach, threat actors with access to support ticket history could launch very targeted phishing attacks aligned with prior legitimate vendor communications.
The incident served as a wake-up call for Microsoft. It also served as a wake-up call for the rest of us; network security rules for internal resources must be subjected to auditing that is as rigorous as that relied upon for external resources. Also worth noting is the fact that the exposure was first detected by a third party. Remediation of the misconfiguration took more than three weeks. Comprehensive measures to detect security rule misconfigurations and alert security teams in real-time are essential in preventing breaches.
2. Unprotected Database, Unencrypted Data
On Jan. 30 2020, a security researcher found a non-password-protected database that appeared easily accessible to any person on the internet. The database, which was part of the corporation’s education platform, included user emails written in plain text as well as IP addresses, ports, pathways and storage information. Malicious actors could potentially leverage this information to burrow further into the network. Unencrypted production, audit, error, CMS and middleware logs also saw exposure, leading to additional potential network backdoors.
Estée Lauder remediated the exposure on the same day that it was discovered and assured its customers that no consumer data experienced compromised. Despite limited damage, at least three significant lessons can be gleaned from this breach:
- When it comes to security, effective asset discovery and management are critical. An unprotected asset can represent an easy foothold for malicious individuals. In this case, it was able to provide invaluable fodder for future potential phishing and social engineering scams.
- Cloud resources can be provisioned with ease and agility. But beware; this should never occur at the expense of upholding security best practices, such as password protection.
- Encrypt data, always. Even in non-production databases.
3. Database of Secrets Unprotected for 8 Years
In 2012, the secret-sharing smartphone app known as Whisper emerged on the market. In its early years, Whisper represented a fun platform on which to share confessions or other highly personal information under a pseudonym. On March 10, 2020, the Washington Post broke the story that security researchers had discovered 900 million Whisper posts and their metadata in an unprotected database. Mistakenly exposed information included users’ ages, ethnicities, hometowns, nicknames, group membership information and more. The exposed information dated back to 2012.
Whisper removed the database immediately after The Washington Post contacted the group, and there is no evidence suggesting that the database was ever exploited. However, it is truly hard to fathom how an exposed database from a secret-sharing app could have gone undetected by the company for so many years.
Nonetheless, apparently this is not a unique situation. Our CPIRT colleagues have learned that servers or services that are exposed by accident are typically the ones most misconfigured and most out of date with patches. Routine external attack surface mapping and scanning can help identify such servers and services and prevent unintended exposure. Perhaps this is also the place to note that in today’s complex hybrid and multi-cloud environments, the need for effective security monitoring is greater than ever before.