Mumsnet, has experienced a data leak. Users logging into their accounts were given access to other users’ details, with account information being “switched”. It appears this happened while Mumsnet was migrating services to the cloud.
Parenting site Mumsnet hit by data breach https://t.co/7oPSzN1dxF
— CRISP (@CrispSurv) February 10, 2019
Experts Comments below:
Stephen Gailey, Solutions Architect at Exabeam:
“The Mumsnet breach is not that shocking, at least to me. It is not the activity of malicious hackers trying to steal data; instead it seems to be the result of poor programming – again. And this particular problem is also nothing new. Banks and other online organisations have been experiencing just this problem for at almost two decades now; I think the first report of synchronous logins revealing the other users data that I can recall was in the early 2000s. What this underlines is that the root cause of most security breaches, whether they are malicious or accidental as in this case, tends to be poor software development processes or poor operational processes.
Organisations tend to look outwards to understand the threats they face, but perhaps they should look inwards at how they build and run Internet facing systems. The new rush to digitisation is likely to fill our press with reports like this one. The truth of the matter is the same as it has always been, the limiting factor for any organisation is the quality of the people it can hire and retain.”
Naaman Hart, Managed Services Solutions Engineer at Digital Guardian:
Moving to the cloud has nothing to do with this failure. It simply highlights that the company is going through a large IT project where complications can arise. That said, security is different in the cloud but typically it’s purely misconfiguration that leads to problems. There is also a lack of rigour applied to validation processes to ensure that companies truly know where their data is stored once in the cloud and how much control they actually have over it.
Every cloud service that interacts with that data is a potential for a leak and companies need to ensure they’re very well versed in who touches what and where it moves. A prime example comes from the very design of cloud hosted systems. By their very nature they are meant to be resilient. Resilient means they have copies of everything in case of failure. These copies can extend to your data and you can very easily find that your data exists in many places you didn’t think it did. Data sovereignty therefore needs to be taken seriously.
The best practices are to learn the benefits and pitfalls of moving to the cloud. Companies will likely gain some native security benefits from moving to newer technologies but they also gain the headache of learning the intricacies of these platforms. If they do not learn how to work well with them then they can find themselves making small misconfigurations that lead to big problems.”
Steve Armstrong, Regional Director, UK & Ireland at Bitglass:
Moving to the cloud poses some new challenges to any organisation – being able to securely configure platforms requires a robust set of controls and processes to be in place. Outside of the human factor or testing before a release, it is important to have the appropriate technology controls in place. These controls should help reduce risk whilst enabling the business. When moving to the cloud it is important to first assess the risks and map those to the required controls.
If there is a gap in control versus risk an organisation typically has two approaches. The first approach is to update its risk register and accept there is some form of risk. Second, they can implement the controls through the use of technology designed to secure and monitor these environments. In the main these organisations have a risk versus reward balance to maintain – controls should be sufficient enough to mitigate the risk whilst not hindering business agility. The challenge of securing the cloud is ever changing; the pace at which platforms, service and infrastructure in the cloud changes makes risk a moving target that can be hard to 100% mitigate.”
Carl Leonard, Principal Security Analyst at Forcepoint:
Users are only becoming more savvy about the value of their personal data and who they’re entrusting to protect it. Mumsnet have suffered similar incidents before and in this case acted quickly to rectify the situation, but more must be done to in future ensure that data remains protected before it’s too late.”
Dan Pitman, Principal Security Architect at Alert Logic:
When users log into a website they are given some kind of unique reference on the server and possible on their local computer that identifies them for the duration of their browsing session on that site. In this case, it is most likely that a bug in bespoke software or a vulnerability from a third party component was introduced that caused people to receive someone else’s session management unique ID and the server proceeded to serve up the other individual’s data based on that.
This issue correlates with moving to the cloud but is most likely not caused by it. Their statement reads “a software change, as part of moving our services to the cloud” – the issue here is an application (software) change, most likely in how they are managing user sessions in the application as above.
Moving to the cloud is often seen as an opportunity for transformation, in the application itself, release management and other areas – doing this these things should not be attempted in one go unless absolutely required (e.g. the application will not run in a virtualised environment) – when it is required, there should be awareness that multiple areas of transformation increase the quality assurance by significant factors.
When moving to the cloud, organisations should get specialist advice. If they do not have in-house expertise, they should employ a third party who has experience and do not depend on individuals. Migration from one place to another is always prone to failure in some areas, so minimise changes into phases and make sure that security is a top priority.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“Every change to an organisation’s infrastructure is a delicate process that needs to be planned out and carefully executed. While – depending on the cloud service model – the responsibility of maintaining the security ‘of the cloud’ is entrusted to the cloud service provider, while the security of the data ‘in the cloud’ is still the responsibility of the customer, and so is the security and effectiveness of the migration process. It makes sense for a glitch like the one experienced by Mumsnet to have happened as a consequence of a misconfiguration during the migration process, but thankfully, the breach was contained and swiftly reported.”
“The most common reason for a failure in the cloud migration process is poor planning. Organisations need to be able to allocate the necessary resources into the migration process. This could be having increased personnel, training for existing staff and taking experts’ advice on realistic budget and execution time.”
“The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources. Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organisations should also ensure that they have well trained and skilled personnel on the task.”
“The best way for organisations to maintain security when moving to the cloud is to have in place foundational controls, that monitor file integrity, configuration management, asset discovery, vulnerability management, and log collection. The majority of cloud breaches, however, can be traced back to misconfiguration and mismanagement of cloud-native controls, therefore it is careful planning and preparation that will ultimately protect businesses during the migration to a cloud environment.”
Todd Petereson, IAM Evangelist at One Identity:
The best practices for maintaining security when moving to the cloud are to treat all of your cloud infrastructure just like you treat your on-prem stuff. Strive to have consistent policies across both. Put as much rigor into your security approach to the cloud as you do to your on-prem stuff. Plan for the worst and act accordingly.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.