An astonishing amount of sensitive data – over 12 petabytes – is being exposed publicly. If you’re having difficulty visualizing what 12 petabytes is, this might help. One petabyte is the equivalent of 500 billion pages of standard printed text, or over 2,000 years of continuous music, or three and half years of an HD video recorder running day and night. Now multiply by 12. That’s a lot of data – roughly 1.5 billion files – and that’s how much is being exposed across open Amazon S3 buckets along with older, yet still widely used, file transfer and sharing technologies as well as misconfigured websites and network-attached storage (NAS) devices often used to backup home computers.
Three main categories of data are being exposed across these technologies.
● Personal data. The most common type of data is personal data of employees and customers. Payroll and tax return files account for 700,000 and 60,000 files respectively. For consumers, contact and patient lists, some credit card data, and even medical tests are being exposed.
● Intellectual property. Employees, contractors and other third parties can use misconfigured or unauthenticated services to backup or share proprietary documents, such as photographs of upcoming product designs or information about yet-to-be-released products. In the process, they inadvertently make this information public.
● Systems information. Thousands of documents including security audits and assessments, network infrastructure details, and penetration testing and vulnerability scanning reports are also publicly accessible. The availability of this information attackers can use to launch attacks is largely a result of third-party and supplier risk, instances of contractors backing up or transferring data outside of an organization’s network.
Talk about making life easy for cyber criminals. They can simply find ways to monetize data that is already publicly available, and/or take advantage of exposed security information to save time and resources they would have spent conducting reconnaissance.
Much has been written recently about the exposure of Amazon S3 buckets, yet file sharing services like Server Message Block (SMB), Rsync and the File Transfer Protocol (FTP) each account for a substantially larger proportion of online exposure. These technologies have been around for years, and yet we still have not improved bad practices and misconfigurations. Compounding the problem, when employees and contractors begin archiving and copying files online or on personal devices, organizations that already struggle to secure data within their perimeter find their job is all the more difficult.
While the United States has the highest number of exposed files of any single country, the number of files exposed across the European Union is more than double. As I’ve discussed before, with GDPR nearly upon us, organizations must consider how they are protecting employee and consumer information and the impact of practices by third parties and suppliers. The risk of privacy violations, compliance issues and financial damage, not to mention reputational concerns, affect us all.
Now that we can clearly picture the problem, let’s take the necessary steps to better protection. The long-term solution lies in training and awareness. However, there are some tips security professionals can follow to mitigate the risk of falling victim to this type of exposure based on the type of service used.
FTP, SMB and Rsync. This advice has been offered for years, but it bears repeating. Use a password and disable guest or anonymous access and firewall the port off from the Internet. If it needs to be on the Internet or without a password, make sure you whitelist the IPs which are expressly permitted to access the resource.
Amazon S3. Amazon now sets S3 buckets private by default, but their site also provides a good overview of measures organizations can take to set permissions and monitor for unusual activity.
Misconfigured websites. To mitigate the risk of a path (or directory) traversal attack, disable directory listings unless explicitly required.
NAS devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. Ideally, organizations should provide training on the risks of using home NAS drives and offer backup solutions to contractors and employees so that they don’t feel the need to backup their devices at home.
While a boon to productivity, some of the most ubiquitous file sharing services across the Internet are also at the heart of a global problem – publicly exposed data. For decades much of the advice to secure these services has gone unheeded. Now that we can clearly see the ramifications, the time has come to take some simple steps to mitigate risk.
