It was reported this morning that VoterVoice, a “grassroots advocacy system” that allows lobbying firms and groups to alert concerned citizens about hot-topic issues, left a server exposed that contained over 300,000 unique email addresses, home addresses, phone numbers and other personal information that could indicate political persuasions and religious beliefs. The server was discovered by an ethical security researcher; however, the server was exposed for an unknown amount of time meaning that an individual with nefarious intentions could have found it first.
Expert Comments:
Brian Johnson, CEO and Co-founder at DivvyCloud:
Organizations must be diligent in ensuring the consumer data they are entrusted with is protected with proper security controls. Organizations need to focus on internal operations. Databases, storage containers, search engines, and other cloud data repositories are often incorrectly configured. For example, the container permissions may be too broad, allowing anyone to access the data. Containers may have been serviced by people who aren’t familiar with cloud security. These misconfigurations are often the result of something as simple as a developer that was unaware of how to properly secure the cloud service, or a simple oversight. For example, a developer may have tweaked a storage container configuration as part of troubleshooting, leaving it open to the public. Once the application began working again, they moved on to another project completely forgetting about the exposed storage container. There are dozens of situations that may result in changes to a container’s configurations. Organizations are often made vulnerable because they don’t have processes in place to prevent or manage insecure software configurations and deployments.
That is why companies must invest in cloud operations (CloudOps). CloudOps is the combination of people, processes, and tools that allow for organizations to consistently manage and govern cloud services at scale. Key to this is hiring and developing the right people, identifying processes that address the unique operational challenges of cloud services, and the automation of these processes with the right tools. Automated cloud security solutions give organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time.”
Ruchika Mishra, Director of Products and Solutions at Balbix:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.