Over Half of Cloud Storage Services are Misconfigured: Report

A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud.

The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments which means data is being exposed without detection.

The issue seems to worsening as RedLock’s last review for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for onee. A new study, released in its most recent Cloud Security Trends Report, shows that percentage grew to 53% between June and September 2017.

Key Points from the Report

  • 53% of groupss have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative subscriber accounts
  • 81% are not managing host weaknesses in cloud storage services
  • 37% of databases unwittingly accept connection requests from suspicious IP addresses
  • 64% of databases are not encrypted properly
  • 45% of Center of Internet Security (CIS) compliance checks are not passed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks are not passed
  • 250 organizations were discovered to be leaking credentials to their cloud environments on internet-facing web servers

A review need look no further than the widespread misconfigured MongoDB installations that were identified by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands sent. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small groups that are making mistakes that are leading to data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans released, was the result of the failure to address a known weakness in Apache Struts; a framework that backed up its dispute portal web application. Equifax CEO Richard Smith recently advised the House Energy and Commerce Committee that the missed patch was due to a mistake by a single worker.

British insurance giant Aviva discovered one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to access to its cloud storage services. Its administration consoles did not have passwords.

RedLock is not the only group to report on the issue. IBM X-Force said it has located more than 1.3 billion records that were exposed due to misconfigured servers up to September 2017.

Author: Maria Perez