Following the news that 47GB of medical data from American firm Patient Home Monitoring has been found exposed in an unsecured Amazon server. IT security experts are commented below.
Raj Samani, Chief Scientist and Fellow at McAfee:
“Mistakes like this should not be happening. There is always the threat of human error, but measures must be in place to anticipate for such errors. All organisations, but especially those that hold sensitive data such as medical details and personally identifiable information, need to ensure they have an integrated system with automated monitoring in place. Having the right combination of people, process and technology is vital to effective data protection, enabling companies to quickly detect threats and correct any flaws.”
.
Josh Mayfield, Platform Specialist at FireMon:
“The Amazon S3 bucket can be easily switched from private to public access – with public being the default. With the speed that organizations are moving to AWS and cloud infrastructure, it is only natural to miss something. But what if you automated policy controls irrespective of future assets/infrastructure? Organizations who automate policy controls and management are able to bring any new device or infrastructure into production with consistency across any new instance. This comes in a few different forms.
First, Cloud Infrastructure Security Brokers (CISB) serve as a clearing house for all new cloud infrastructure within the organization. By incorporating these elements, you gain a degree of governance around which policies and controls go in to any new cloud service.
Imagine setting a rule or policy once and then having that policy applied to any future instances – automatically. In this context, you no longer have to sacrifice security for speed. Leading organizations are taking these kinds of steps.
Secondly, policy management consoles with the flexibility to handle heterogeneous infrastructures and devices are invaluable. Most organizations have a hodge-podge of various vendors for their security infrastructure (for example, Palo Alto, Juniper, Fortinet, AWS, Check Point, and many others). But with automated policy management, these systems are treated as devices with relevant data, configurations that can be cloned, policies that can migrate from device-to-device, and controls that bring order to the heterogeneity.
A policy management console gives organisations this kind of flexibility. As a bonus, policy management consoles can automate controls and actions to close any gaps new cloud services bring into production – including AWS and the now infamous S3 bucket that is regularly left ajar.
Lastly, there is increased data staging within cloud infrastructures prior to exfiltration. That means, the cybercriminal makes headway in the on-prem network, but needs a place to hold the data prior to the final theft. By moving data to a cloud instances that has regular data exchange with on-prem assets, the cybercriminal can hide the growing amount of data going into the cloud infrastructure. After all, that’s a regular occurrence – no alert triggered.
Then, when you take into account the regular openness of S3, theft becomes even easier. Imagine a commercial mover putting your furniture into a moving van. No shock here, that seems like normal asset movement. But then, an accomplice walks up to the fully loaded van, key in the ignition, and drives away. This is not a perfect analogy, but it gets very close to the data staging and exfiltration that happens with cloud infrastructure.”
Lisa Baergen, Director at NuData Security:
“Once again, personally identifiable information (PII) and other sensitive information has been left exposed on an unsecured server. This type of news – leading organizations misconfiguring access and security of critical data storage methods on a major hosting service – is becoming an almost weekly occurrence. Along with mega-breaches, the increasing sophistication of hackers who will find any crack in the organizations armor, and loose handling of consumer PII on hosting services are key reasons why consumer data is readily available on the Dark Web to criminals, making it all too easy for them to create synthetic identities or co-opt the identities of legitimate consumers for account takeovers, new lines of credit and other crimes.
“Every organization that’s entrusted with personal data needs to look at a more thorough multi-layered solution and get far more serious about taking effective steps to protect consumer data by adopting multi-layered security solutions that include as passive biometrics and behavioral analytics, which defies mimicking by bad actors. Unless and until PII data is rendered worthless by improved authentication solutions, these headlines will only continue, and we will all be placed at further unnecessary risk.”
Oliver Pinson Roxburgh, EMEA Director at Alert Logic:
“S3 buckets are serverless and generally data in S3 buckets is exposed due to a lack of experience and knowledge in securely configuring the cloud platform. The principles of security do not change but your approach to security needs to change, as the platform itself is a critical area organisations need to consider when in the cloud, irrespective of the provider. The benefits of speed , agility and flexibility can also leave you exposed to security issues when not done correctly, and things can go wrong fast. The platform needs to be considered as part of your attack surface and specifically think about configuring the platform securely. The key thing for S3 buckets is leass privileges, and restricting access to authorised users and locations.”
Kyle Wilhoit, Senior Cybersecurity Threat Researcher at DomainTools:
“This kind of data breach really hammers home the tangible impact that data breaches can have on individuals. The narrative surrounding breaches is so often defined by the financial implications, but the impact of medical records being leaked on individuals could be equally if not more damaging. Revealing potentially sensitive personally identifiable information could impact an individual’s employment or it could be used by criminals/state entities for targeted attacks, such as spear phishing.
Medical organizations need to start taking the data they have access to as seriously as financial organizations do, and should make those affected aware as soon as possible.”
Brian Robison, Senior Director of Security Technology at Cylance:
“This is yet another case where misconfiguration or sloppiness leads to a data breach. Just as in the Equifax breach, a “missing patch” on a server led to massive data exfiltration.
As our computer systems and network become more and more complex, organisations need to focus on improving security operationally. Stop treating security as merely an IT “issue” that costs money and treat cyber security as a business continuity issue, just as critical as physical buildings or corporate financials. Corporate financials are usually constantly being examined or audited – the same maniacal focus must be applied to the security of your assets. You can no longer get away with a “once-per-year” vulnerability scan or pen test – there needs to be a constant audit of your network and security posture.
All assets must be discovered and tested against current vulnerabilities. Patches must be deployed quickly – maybe even quicker than previously; especially for internet facing systems. The extended QA cycle that enterprises have used in the past to delay patching may end up causing more harm than good. What might be more damaging to the business? The web tool going down for a few hours while an issue is worked out, or the loss of millions of customer records?
Security is a business asset to keep customer data safe – not a “cost-center” that must be continually squeezed during budget reduction cycles.”
Paul Edon, Director at Tripwire:
“With consumers and businesses shifting their data to the cloud, criminals are moving their scopes to follow the data. Therefore, taking responsibility of where and how that information is being stored is paramount, especially when it involves such critical information. Storing your data in the cloud does not mean it is magically protected. This is why configuring systems correctly gives your organization the best chance to protect the data. Failure to do so shows negligence to security which in this case, has unfortunately left 150,000 patients exposed. This isn’t rocket science or brain surgery, it’s basic 101 information security – CONFIDENTIALITY, integrity, and availability.”
Javvad Malik, Security Advocate at AlienVault:
“The issue of misconfigured cloud services is a growing problem. As more and more companies migrate datasets to the cloud, it is becoming apparent that many lack the cloud skills needed to secure the cloud infrastructure, gain assurance that the cloud infrastructure is secured appropriately, or monitor their cloud environments for unauthorised access. While cloud can bring benefits of having a resilient infrastructure, security cannot be outsourced, and much of the responsibility remains with the customer.
Unfortunately, the people affected the most are the patients who have had their sensitive information exposed.
Christopher Littlejohns, EMEA Manager at Synopsys:
“Cloud based solutions are becoming increasingly popular and attractive to businesses – and rightly so. They have a growing reputation for enhanced security which is sometimes better than internal solutions. Couple this with the well known cost benefits and we have attractive solutions. The problems occur when the built in security enhancing capabilities are not used correctly; in this case proper authentication to grant access to sensitive data and lack of encryption. This is a common theme for such sensitive data leaks which often have their root causes in ineffective processes, poor coding practices and human error. They all amount to the same thing, you are only as secure as your weakest link.”
