If your company suffered a data breach, wouldn’t it be at least a bit comforting if you knew it was because an army of criminal geniuses had spent months trying to penetrate your fortress-like defences?
Imagine the effort they must have gone through. They’ve tried every form of phishing, spearphishing, smishing, vishing and whaling. They’ve sent fake printer and HVAC engineers to try to penetrate the data centers. They’ve tried to get their spies recruited to work in sensitive positions. They’ve bribed and blackmailed. And their dozens of hoodie-wearing hackers have been frenziedly typing ones and zeroes into their terminal windows (because that’s how hacking works, apparently!)
Then at least you’d know that you didn’t really stand a chance. At least you’d still be able to hold your head up high.
What would be somewhat less comforting would be to discover that you weren’t really hacked at all; that the army of criminals barely had to try. The data just appeared before them, and all because of the one word that crops up again and again when you read about data breaches:
According to Verizon’s recently released Data Breach Investigations Report, 17% of data breaches were caused by ‘errors’, the largest part of which is misconfiguration. This might not sound like a lot, but it’s double what it was last year, and second only to hacking as a cause of breaches.
Even way back in 2018, the IBM X-Force Report found that in the preceding year there was a “424 percent jump in breaches related to misconfigured cloud infrastructure, largely due to human error”
Here are a few recent examples:
Clearview AI is a company which already courted controversy with privacy concerns over its facial recognition software and social media photo scraping. As detailed by Techcrunch, for a time in February a ‘misconfigured’ server allowed direct and indirect access to Clearview’s source code, credentials and internal files.
A statement from Clearview’s lawyer, Tor Eklund, said “Security is Clearview’s top priority. Unfortunately, data breaches are part of life in the 21st century.”
So… that’s ok then?! (Answer: No)
A database held by developer C-Planet IT Solutions with details of over 330,000 voters in Malta was exposed to the internet. Considering the population of Malta is fewer than 500,000 people this is quite the breach. The data included names, addresses, gender, phone numbers and dates of birth; a pretty good haul for potential fraudsters. According to Malta Today, “The company was notified of the leak via email in February, but there was no reaction – the hole in the server was only closed around the 9th March.”
C-Planet IT Solutions described this as a ‘mishap’, or in other words ‘Please move along. Nothing to see here!’
Five ‘misconfigured’ Amazon S3 buckets exposed uploads by up to 14 million users of ‘One-Stop Shopping Solution’ Key Ring. The researchers at vpnMentor who discovered the breach, detailed the staggering breadth of personal information people trusted this company to keep secure in their Key Ring digital wallets. This included everything from Medical Marijuana IDs to NRA membership cards; credit cards to Government ID cards.
As Key Ring had no privacy or data protection policy on their app website, it’s kind of hard to know what measures they intended to have in place to protect data. A clue, perhaps, to how seriously they were taking data security.
How can you avoid the misconfiguration pitfalls?
There is a long list of things you can do to prevent human error from splashing your data all over the internet, but I’m going to condense it to just three main points:
Know your data
- What data are you storing and why?
- How and where is it stored, transported and backed up?
- Who and what has access and how is this authenticated?
- How is access logged, and how are those logs audited?
Make no assumptions
- Don’t assume your data audit gives you the full picture.
- Don’t assume that you or your developers know everything about cloud security.
- Don’t assume that the default settings for protecting cloud data will prevent unauthorized access.
Don’t mark your own homework
Almost every day there’s a news story about a company that should know better carelessly exposing personal data on the internet. Clearly in most cases they either didn’t know the databases were there, or they made assumptions about availability and access.
Given the harm that can be done to people and businesses by criminals who would make use of the data, this is utterly inexcusable.
Don’t be one of those companies that gets caught out because you don’t try to find out what you don’t know.
Ask the experts at TBG Security how they can help you avoid the pitfalls and protect your vital business data.