Viacom’s mishandling of its master AWS key has left the digital properties of entertainment companies such as Comedy Central, Paramount and MTV exposed. IT security experts from Prevalent, Inc., leaders in third party risk management and vendor threat intelligence commented below.
Brad Keller, JD, CTPRP, Sr. Director 3rd Party Strategy at Prevalent, Inc.:
“Another day, another vendor fails to follow basic operational security measures. It’s become an all-too-frequent theme. Viacom fails to employ basic security protocols on servers that essentially contained the “keys to the kingdoms” of their customers. The fact that there have been no confirmed (at least publicly) instances of the information being used doesn’t negate the potential damage that will be caused if the access and secret key information to corporate server accounts has fallen into the wrong hands.
“How could this incident, and the seemly steady stream of recent “leaks” caused by poor vendor operational security practices (Time Warner, TalentPen, DeepRoot), be prevented? The first and most obvious answer is for vendors to follow even the most basic security procedures to protect customer information. But equally important is the need for companies to include an assessment of security operational procedures as a critical component of their vendor assessment programs to confirm that proper security procedures are in place to protect their assets. Come on folks, it’s your information! A company’s obligation to ensure that their data is protected doesn’t stop when the data is outsourced. This series of recent data leaks underscores the very real need to make sure that companies carefully consider the data they need to protect, and then take the appropriate steps to make sure that happens.”
Jeff Hill, Director, Product Management at Prevalent, Inc.:
“We’ve seen this movie before – pun intended. TimeWarner Cable, DeepRoot (Republican Party data vendor), Nice Systems, TalentPen, and now Viacom. Cloud server misconfigurations and inadvertent credentials exposure seems to be all the rage, removing even the most rudimentary obstacles to penetration for bad actors. As more and more enterprise data moves to cloud-based environments, organizations must assure that their data is not only protected against pro-active external attacks, but also from the carelessness of those charged with basic configuration and other seemingly pedestrian and taken-for-granted functions. In the age of the cloud, enterprises will be well served to adopt an “assume nothing; verify everything” security philosophy.