Personal information of thousands of FedEx customers worldwide was exposed on the web due to an Amazon Web Services (AWS) cloud storage server which was not secured with a password. Security researchers from Kromtech Security found the open AWS bucket which contained 119,000 scanned documents, including passports, drivers’ licenses and Applications for Delivery of Mail Through Agent forms, which contain names, home addresses, phone numbers and ZIP codes. IT security experts commented below.
Willy Leichter, Vice President of Marketing at Virsec Systems:
Josh Mayfield, Cloud Security Expert at FireMon:
Until we get a handle on the myths we let proliferate in our heads, we’re never going to get up to the starting line and achieve configuration assurance. While there is little doubt that trying to stop these kinds of attacks is difficult, the fact is the breaches themselves are not all that difficult. For all of our talk about threat sophistication, most could have been stopped with simple or immediate controls.
We can check for vulnerabilities with ongoing attack simulations. We can do regular compliance checks with machines that bump our configurations against our security intentions, flagging us when we’ve drifted. And we can orchestrate changes to all devices and cloud controls to fortify data against such a breach.
It is a myth that breaches come from sophisticated attackers, it is a myth that breaches stem from application weaknesses only, it is a myth that breaches are inevitable, it is a myth that technology won’t help, it is a myth that patching at random will halt the cybercriminal.
Just add a few disciplines and you’ll find yourself in a much stronger security posture. Use vulnerability management that simulates trouble and patches. Calibrate your compliance controls to mirror your security intent. Automate changes when trouble is detected. These are disciplines where security teams have strength and experience. We just have to apply it to the entire attack surface – including federated networks after an M&A (like Bongo and FedEx).”
Michael Patterson, CEO at Plixer:
Mike Schuricht, VP Product Management at Bitglass:
One of the challenges with configuring cloud applications is ensuring that all access methods are secure and that the threat of a breach is mitigated. An effective way to address these threats is to implement a system that provides visibility over cloud data, alerts for high-risk configurations, and automatic, real-time protection mechanisms. Regulated organizations in healthcare and financial services are keenly aware of this challenge and make security a blocking requirement before any new applications can be deployed.”