Ethical researchers at the Massachusetts software company WizCase, discovered over 1,000 GB of data belonging to over 100 local municipalities across the Northeast in misconfigured Amazon S3 buckets. The over 1.6 million files were open to anyone. It appears that the commonly used municipal mapping program, Mapsonline.net, was storing unencrypted public data with no password or login required for access.
Almost every city in the US has put their residents’ data online in a form of GIS based mapping. These apps allow user access to individual property data on any property, generally without any password or login. This is “public record” data that historically was available in bound form at the local City or Town hall.
Now that it’s aggregated and online, it’s readily available to be weaponized for “from your City Hall” phishing attacks, synthetic identity creation, and other types of cybercrime. Experts provide insight as part of expert comments series.
<p>Enterprises that store PII (Personal Identifiable Information) and PHI (Personal Health Information) are instructed and mandated by regulation to follow the Principle of Least Privilege (PoLP). This was part of the presidential cyber security order after the SolarWinds attack that included recommendations that enterprises move to a zero-trust architecture.</p>
<p>The key to enforcing PoLP (NIST PR.AC-6) is to have both regular access reviews and alerts on identity and group permission changes. These changes should be reviewed by both the system owners and the manager of the users and should be quantified in a repeatable and auditable fashion.</p>
<p>While the cloud brings tremendous value, from quick ramp-up to scalability and flexibility to an organization, it does present risks. When role and responsibilities for data security are not clearly understood, cybersecurity skillsets can be lacking as organizations quickly transition to the cloud. Automation (which is so essential in the cloud) can at times change security configurations at lightning speed and for an IT asset like S3 folders, if constant security monitoring is not in place, it can lead to an undetected breach.</p>