Coronavirus and Cloud Breaches: Looking Back to Look Forward

Or Priel By Or Priel

Data breaches remain a challenge, even with companies increasing their investment in cybersecurity products and tools.

As part of our ongoing process to deliver the most effective cloud security platform on the planet, the Ermetic team closely analyzes hundreds of breaches that take place each year to understand why they occurred and how to learn from them. It was no surprise to us that data breaches remained a challenge throughout the past year, even with companies increasing their investment in cybersecurity products and tools.

The COVID-19 Factor

Without a doubt, one of the most interesting events was COVID-19 and its impact on business -- especially from a cybersecurity perspective. The shift to remote work caused many companies to race to the cloud. Many companies went “all in” with different cloud services, not fully cognizant of the intricacies that come with using these technologies.

Compared to on-site deployments, the public cloud contains an enormous number of resources, roles, configurations and interdependencies that make it challenging to maintain proper visibility into the environment and all the activity that takes place.

We’ve seen a lot of organizations take the same tools that worked on-prem and try to shift them to their cloud environments, not realizing they lack the awareness and functionality to properly scale and deliver in such an ever-changing space. Organizations fairly quickly come to understand that a solution aimed at securing cloud environments needs to address or adapt to the common issues within a complex cloud environment. These include the lack of data controls, poor IAM, varying service provider policies and the navigation of unknown permissions attributed to identities.

IAM for a Secure Cloud

The fast migration to cloud especially puts increased importance on IAM: Gartner predicts that by 2023, 75 percent of data breaches will be a direct result of mismanagement of IAM privileges. Managing human and non-human identities, and their entitlements, is fundamental for any organization. When hosting applications on platforms like AWS, Azure, and Google Cloud, businesses should put protecting identities and access entitlements at the top of their security strategy.

Just looking at recent history tells you why. What surfaces among the breaches we reviewed is a clear continuation of the “misconfiguration trend” that is validated even more by third party research. According to the Verizon data breach report, misconfigurations were the second most common reason for a breach, surpassed only by “hacking,” in particular, because of credential theft (brute force or the use of lost or stolen credentials). Oracle and KPMG found that 9 out of 10 organizations reported data loss in the public cloud, due to privilege abuse, misconfiguration, and poor visibility -- this caused many organizations to increase their focus on cybersecurity processes.

What’s most striking about these breaches is the critical role of IAM in the security of an organization's cloud environment. If you think about it, IAM plays a critical role even in the most common kind of breach - credential theft - and, handled differently, can dramatically reduce and limit a breach’s scope. It’s not just the misconfigurations. Each breach below could have been prevented or vastly reduced in scope had the environment and, more specifically, the entitlements, been designed with the principle of least privilege in mind.

This is because public cloud applications have thousands of service identities with millions of access permissions and privileges. Yet understanding these permissions, identifying the risks, and remediating excessive and dangerous entitlements is extremely complex in platforms like AWS and Azure or GCP. The result? The organization’s attack surface is left wide open and its sensitive resources unprotected upon malicious lateral movement.

Let’s see how this manifested itself in some of the most notable cloud breaches in the last year:

Marriott

In early 2020, a hacker obtained the credentials of two Marriott employees at a Marriott property and used them to siphon the data of approximately 5.2 million hotel guests for roughly a month before being discovered. The details of how the attacker obtained the credentials is unclear, but a few things are obvious: Marriott didn’t have proper visibility into their environment and controlling the permissions would have dramatically reduced the scope of the breach.

Slickwraps

Slickwraps is an online store that offers skins for electronic equipment. Slickwraps suffered a breach that resulted in more than 800,000 customer records being leaked. The breach happened because one of the tools offered by the company was vulnerable to remote code execution. Users needed to be able to upload photos to create a custom skin for their electronics, and a hacker (more of a grey hat hacker) found that he could upload anything to the root directory of the host. So this hacker uploaded a file that allowed remote code execution and the ability to execute shell commands. Granted, this started off with a vulnerability that could have been avoided but, from there, the attacker used legitimate credentials to traverse the environment, exfiltrate data and even take control of their ZenDesk environment.

Antheus Tecnologia

A Safety Detectives researcher found an exposed database that contained roughly 16 gigabytes of data including 81.5 million customer records, administrator login information, employee telephone numbers, email addresses, company emails and sensitive data representing biometric data (fingerprints and facial recognition) of approximately 76,000 individuals. The researcher said the company neglected to password-protect and properly encrypt a database on the cloud -- almost certainly the result of human error. This is a clear case of misconfiguration. Of course in some cases, databases need to be exposed, so controlling both network access and permissions is essential to keeping the resource secure.

LifeLabs

The LifeLabs breach exposed the data of 15 million Canadians (that’s 40% of the country's population!). The LifeLabs data breach included lab test results and national health card numbers along with personally identifiable information including names, dates of birth, home addresses and email addresses. Login IDs and passwords appear to have also been compromised in the breach. The company states that the data in question was allegedly stored on unsecured servers and not encrypted. In addition, the network security personnel responsible for securing the data were allegedly not properly trained and there was not enough staff.

BigFooty.com

BigFooty.com is a popular app where fans of Australian football can chat about their favorite sport. In late May, SafetyDetectives discovered 132GB of sensitive data published on an Elasticsearch database. This is another case of a misconfigured database leaving sensitive information exposed on the web. BigFooty was hosting the database in AWS and failed to properly secure it.

CAM4

This adult webcam platform inadvertently left a database full of extremely sensitive information available on the web without password protection which resulted in the exposure of 10.8 billion records.

Pfizer

Late last year, Pfizer suffered a massive data leak due to a misconfigured Google Cloud storage bucket. The exposed data included email addresses, home addresses, full names, and other HIPAA related information. It is believed that highly confidential medical information came from automated customer support software that had been stored in the Google database. It is unclear how long this data had been stored or who had access to this information.

WildWorks

WildWorks, a game development company most known for its popular children’s game Animal Jam, suffered a breach that led to the exposure of 46 million user records. Fuller information about this breach is not available but the attacker apparently hacked the company’s Slack server and, from there, managed to find the needed KMS key to access and decrypt the data stored in a database hosted in AWS.

Cisco

A former Cisco engineer, who left the company in 2018, accessed the company’s cloud infrastructure hosted on AWS and deleted 456 EC2 servers. These machines were used as part of the company's Webex platform. In addition to the disruption of service to the product, 16 thousand Webex accounts were also temporarily deleted. The biggest unanswered question is why a former employee would still have access to the infrastructure and, even more so, why in the first place did he have access so sensitive a permission that allowed him to delete virtual machines.

Lessons From the Past

Note that all these breaches were related to either misconfiguration of a resource or to excessive privileges and a lack of control over what an identity could do in the environment. Achieving control over both -- not to mention applying the principle of least privilege access -- could have prevented the breaches or dramatically minimized the impact.

If we’re going to learn from last year’s biggest cloud breaches -- and the research by the community and our own team -- it is evident that now more than ever organizations need to secure their cloud infrastructures with a solution that can scale with cloud and address not just misconfigurations but the complex problem of cloud entitlements. In fact, it’s the most essential cloud security action to take.

Here’s to learning from the past and not making the same mistakes as we move forward into ever-growing public cloud adoption.