Following the news that 47GB of medical data from American firm Patient Home Monitoring has been found exposed in an unsecured Amazon server. IT security experts are commented below.
Raj Samani, Chief Scientist and Fellow at McAfee:
.
Josh Mayfield, Platform Specialist at FireMon:
First, Cloud Infrastructure Security Brokers (CISB) serve as a clearing house for all new cloud infrastructure within the organization. By incorporating these elements, you gain a degree of governance around which policies and controls go in to any new cloud service.
Imagine setting a rule or policy once and then having that policy applied to any future instances – automatically. In this context, you no longer have to sacrifice security for speed. Leading organizations are taking these kinds of steps.
Secondly, policy management consoles with the flexibility to handle heterogeneous infrastructures and devices are invaluable. Most organizations have a hodge-podge of various vendors for their security infrastructure (for example, Palo Alto, Juniper, Fortinet, AWS, Check Point, and many others). But with automated policy management, these systems are treated as devices with relevant data, configurations that can be cloned, policies that can migrate from device-to-device, and controls that bring order to the heterogeneity.
A policy management console gives organisations this kind of flexibility. As a bonus, policy management consoles can automate controls and actions to close any gaps new cloud services bring into production – including AWS and the now infamous S3 bucket that is regularly left ajar.
Lastly, there is increased data staging within cloud infrastructures prior to exfiltration. That means, the cybercriminal makes headway in the on-prem network, but needs a place to hold the data prior to the final theft. By moving data to a cloud instances that has regular data exchange with on-prem assets, the cybercriminal can hide the growing amount of data going into the cloud infrastructure. After all, that’s a regular occurrence – no alert triggered.
Then, when you take into account the regular openness of S3, theft becomes even easier. Imagine a commercial mover putting your furniture into a moving van. No shock here, that seems like normal asset movement. But then, an accomplice walks up to the fully loaded van, key in the ignition, and drives away. This is not a perfect analogy, but it gets very close to the data staging and exfiltration that happens with cloud infrastructure.”
Lisa Baergen, Director at NuData Security:
“Every organization that’s entrusted with personal data needs to look at a more thorough multi-layered solution and get far more serious about taking effective steps to protect consumer data by adopting multi-layered security solutions that include as passive biometrics and behavioral analytics, which defies mimicking by bad actors. Unless and until PII data is rendered worthless by improved authentication solutions, these headlines will only continue, and we will all be placed at further unnecessary risk.”
Oliver Pinson Roxburgh, EMEA Director at Alert Logic:
“S3 buckets are serverless and generally data in S3 buckets is exposed due to a lack of experience and knowledge in securely configuring the cloud platform. The principles of security do not change but your approach to security needs to change, as the platform itself is a critical area organisations need to consider when in the cloud, irrespective of the provider. The benefits of speed , agility and flexibility can also leave you exposed to security issues when not done correctly, and things can go wrong fast. The platform needs to be considered as part of your attack surface and specifically think about configuring the platform securely. The key thing for S3 buckets is leass privileges, and restricting access to authorised users and locations.”
Kyle Wilhoit, Senior Cybersecurity Threat Researcher at DomainTools:
Medical organizations need to start taking the data they have access to as seriously as financial organizations do, and should make those affected aware as soon as possible.”
Brian Robison, Senior Director of Security Technology at Cylance:
As our computer systems and network become more and more complex, organisations need to focus on improving security operationally. Stop treating security as merely an IT “issue” that costs money and treat cyber security as a business continuity issue, just as critical as physical buildings or corporate financials. Corporate financials are usually constantly being examined or audited – the same maniacal focus must be applied to the security of your assets. You can no longer get away with a “once-per-year” vulnerability scan or pen test – there needs to be a constant audit of your network and security posture.
All assets must be discovered and tested against current vulnerabilities. Patches must be deployed quickly – maybe even quicker than previously; especially for internet facing systems. The extended QA cycle that enterprises have used in the past to delay patching may end up causing more harm than good. What might be more damaging to the business? The web tool going down for a few hours while an issue is worked out, or the loss of millions of customer records?
Security is a business asset to keep customer data safe – not a “cost-center” that must be continually squeezed during budget reduction cycles.”
Paul Edon, Director at Tripwire:
Javvad Malik, Security Advocate at AlienVault:
Unfortunately, the people affected the most are the patients who have had their sensitive information exposed.
Christopher Littlejohns, EMEA Manager at Synopsys: