It has been reported that an unsecured FedEx server was breached, exposing thousands of customers’ personal information, a prominent security research firm discovered earlier this month. Package forwarding service Bongo International was acquired by FedEx in 2014 and now serves as a e-commerce service called FedEx Cross Border. But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach. IT security experts commented below.
Patrick Hunter, Director at One Identity:
“This is an interesting case where a company does all the right things when they’ve discovered they had a potential weakness. Mergers and acquisitions are fraught with security pitfalls. The boundary where the two organisations meet is a weakness; they are bound to have different policies, different systems, incompatible technology and differing cultural views towards cyber security.
FedEx found the issue and plugged the gap, then announced what they had done and why. All the right things…but are they just lucky? The data was old but it contained a lot of personal information which could still have caused damage. I wouldn’t be too sympathetic as they could have solved the problem by better protecting access to all systems further out, nearer the boundaries. I am not talking about firewalls here, but true access management. If a hacker should gain access to the network, in the FedEx example, they could have had free rein but if you lock down the access to privileged accounts then the point becomes moot. The server couldn’t have been accessed without express permission – this can even be done is real time.
Is this just a case of a company finding exposed data before the hacker? We’ve seen what happens when the scenario is the other way around. Organisations need look at their security strategies and take the wider view. Don’t just focus at the server level but at the Identity level, restrict and control those accounts that could run amok in the wrong hands. I think FedEx did all the right things but maybe they were lucky here, especially with the latest GDPR regulation looming in May.”
Javvad Malik, Security Advocate at AlienVault:
“Misconfigured AWS S3 buckets have been plaguing many enterprises for some time now. This is despite Amazon rolling out additional controls that email users where an AWS S3 bucket is set to public visibility.
Incidents like this serve as a reminder that cloud environments need to be proactively monitored and accounted for. It can be easy for enterprises to forget cloud assets, which can go unprotected for long periods of time.
With the increased interest in AWS S3 buckets, enterprises need to ensure only those assets are publicly exposed which need to be. Otherwise, it may not be a whitehat that finds the unsecured database, particularly as services like Buckhacker become available.”
Josh Mayfield, Director at FireMon:
Did you know that 99% of breaches occur because of misconfigurations? Really, I’m not joking here. When we look at the sources of all data breaches, it ultimately comes down to something not having the proper controls. In the case of Bongo/FedEx, we again see the notorious S3 bucket misconfigured to allow unauthorized access.
Until we get a handle on the myths we let proliferate in our heads, we’re never going to get up to the starting line and achieve configuration assurance. While there is little doubt that trying to stop these kinds of attacks is difficult, the fact is the breaches themselves are not all that difficult. For all of our talk about threat sophistication, most could have been stopped with simple or immediate controls.
We can check for vulnerabilities with ongoing attack simulations. We can do regular compliance checks with machines that bump our configurations against our security intentions, flagging us when we’ve drifted. And we can orchestrate changes to all devices and cloud controls to fortify data against such a breach.
It is a myth that breaches come from sophisticated attackers, it is a myth that breaches stem from application weaknesses only, it is a myth that breaches are inevitable, it is a myth that technology won’t help, it is a myth that patching at random will halt the cybercriminal.
Just add a few disciplines and you’ll find yourself in a much stronger security posture. Use vulnerability management that simulates trouble and patches. Calibrate your compliance controls to mirror your security intent. Automate changes when trouble is detected. These are disciplines where security teams have strength and experience. We just have to apply it to the entire attack surface – including federated networks after an M&A (like Bongo and FedEx).
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“Yet another S3 breach! We keep seeing these. It’s the upside and downside of cloud computing. Organisations need to monitor S3 bucket permissions. I am confident there are similar issues with other cloud providers, but they are just not surfacing as yet.”