Cloud misconfiguration problems have plagued security teams for years, with reports of data exposure regularly making headlines. While cases have seemingly declined, the problem persists, as indicated by analysis of misconfiguration events that took place over the past year.
Rapid7 researchers identified 121 publicly reported cases of data exposure in 2020 that were directly caused by a misconfiguration in the affected business's cloud environment. Most (62%) of these instances were found and reported by independent researchers, and not criminals, but the "2021 Cloud Misconfigurations Report" warns there are likely more cases still undiscovered.
The extent of researcher involvement stood out to Bob Rudis, chief data scientist at Rapid7 and author of the report. "I just didn't realize before the volume of researchers going out there and proactively trying to identify these things, hopefully before attackers do."
On average, researchers report 10 disclosed incidents per month across 15 industries. Most of these incidents were found, disclosed, and remediated within the same month because they were discovered by people seeking out poorly secured services. Nearly half didn't specify the service; however, misconfigured permissions on Amazon Web Services buckets and Internet-facing Elasticsearch servers made up 25% and 21% of reported data exposures, respectively.
Amazon and Elasticsearch have taken steps to improve the security of default settings in recent years, Rudis notes. By default, all AWS S3 buckets are private and can be accessed only by the people who are explicitly granted access to it. Its default encryption settings allow users to set the default encryption behavior for an S3 bucket so new objects are encrypted when stored.
"[With] newer installations of Elasticsearch and newer setups of S3, you really have to go out of your way to say, 'I'm going to make this available on the Internet to everybody,'" says Rudis.
However, older configurations of AWS S3 or Elasticsearch can still put organizations at risk, he continues. Admins should use caution when making a new S3 bucket and creating a policy: If they use an old one, it won't have the same security configurations as newer versions of S3. He advises revisiting old configurations and settings to see if there's anything putting data at risk, especially if you've been operating in the cloud for a while and still have older policies in place.
"[There are] lots of things to check — policies to see, if they're decent or not," he says. "I know it's another thing you have to do, another task … but doing that can save you from being a headline."
Information, Professional, Healthcare at Highest Risk
Of the industries affected by data exposure, the most represented are Information, Professional, Healthcare, and Entertainment. A range of 14 information types were reported as exposed; the most notable were datasets involving credentials, personal financial information, and personal health information, the researchers report. The median data exposure was 10 million records, though one incident led to the exposure of more than 20 billion records, they note.
Financial institutions usually fall toward the top of industry breakdowns because there are so many, Rudis says, noting that their absence indicate the finance sector "has a better handle on controlling what they put in the cloud and configuring things." He wasn't surprised to see the Information and Professional sectors among the top industries suffering from data exposures.
"Their data is their oil — that is what they use; that is part and parcel of what makes them go," he explains. The sheer amount of data these businesses collect and organize makes it difficult to ensure it's all properly protected.
Healthcare's presence among the top industries is worrisome, especially because industry experts have long emphasized the importance of securing healthcare data and there are several regulations in place to protect it. But regulatory oversight is "a bit burdensome across the board," says Rudis, and the number of requirements placed on healthcare organizations from a privacy perspective and data control perspective usually means information is left in the open.
It doesn't help that healthcare institutions lack the resources and staff other organizations have, making it a challenge to move to the cloud for cost savings. Rudis, who talks with some healthcare organizations regularly, says "they are all woefully understaffed. … Between ransomware and COVID, it's been crazy for them," especially those in smaller communities.
To avoid a cloud misconfiguration incident, Rudis urges organizations to avoid the "set it and forget it" mentality and adopt the habit of checking and rechecking security policies for potential gaps. While independent researchers are helping many businesses avoid potentially massive security breaches, it shouldn't fall on them to discover misconfigurations for everyone.
"Double check everything you're doing and constantly check everything," he says. "Don't rely on the researchers to do that for you."