Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
82% of Databases Left Unencrypted in Public Cloud
Newest First  |  Oldest First  |  Threaded View
sngs7dan
sngs7dan,
 User Rank: Strategist
5/30/2017 | 9:45:46 AM
Lies, Damn lies and Statistics
A shameful article. Inadequate with regards to analysis. Either provide enough information to make the numbers quoted reasonable or critique the methodology of the report for not providing enough information.

"'Average' is a statistical fiction". Under three hours average TTL for a cloud resource? Based on what? People creating something, realizing it's misconfigured, destroying it and then doing it right? Trial and error, experimentation? transient convenience builds? dynamic honeypots? the possibilities are endless and so are the questions left unanswered.

Without any discussion of the distribution curve, a single value is a data point without meaning. Imagine trying to read a graph with unlabeled axes. Pretty picture, but with what meaning?

You can do better.
DCDawg
DCDawg,
 User Rank: Apprentice
5/30/2017 | 12:40:34 AM
But the cloud is supposed to be more secure!
Isn't that what everyone tells us? The cloud is more secure. Why worry? (sarcasm assumed)
Dr.T
Dr.T,
 User Rank: Ninja
5/29/2017 | 2:47:39 PM
plaintext credentials
I was hoping that we would not hear this again, plaintext credential means no credential basically.
Dr.T
Dr.T,
 User Rank: Ninja
5/29/2017 | 2:45:17 PM
devops-oriented world
"devops-oriented world" in which those who write the code are responsible for pushing it to production." I do not have problem with this, therebcna still be enough chekcs to make sure no security vulnerability.
Dr.T
Dr.T,
 User Rank: Ninja
5/29/2017 | 2:41:22 PM
cloud providers failing to secure data centers
This is something we can argue but it is still both cloud provers and consumers to encrypt the databases. Cloud providers could make this a default features on their services.
Dr.T
Dr.T,
 User Rank: Ninja
5/29/2017 | 2:38:40 PM
51% web traffic
51% web traffic being not encrypted is more troubleing than database encryption at rest. So individuals who are registering those sites not having https are competely at risk.
Dr.T
Dr.T,
 User Rank: Ninja
5/29/2017 | 2:36:17 PM
Not surprised
This is not surprising at all. I bet it is the same on on-premises. We tend to think it is important to encrypt data but not doing that when it comes to data at rest.
ChrisB964
ChrisB964,
 User Rank: Apprentice
5/26/2017 | 5:22:41 PM
What exactly is the threat vector of an unencrypted cloud database?
What exactly is the threat vector of an unencrypted cloud database?  Considering this is headline I'm curious if you or anyone could describe a scenario where someone accesses data by attacking an unencrpted database.  Unless I misunderstand something the encryption protects attempts to access the data at the disk level.  For RDS users(the most common case) wouldn't an attacker first have to compromize AWS infrastructure to get at the disk layer of RDS?  There's no public access to the disk of an RDS instance.  Help me understand the risk.

Yes we encrypt our cloud databases and noticed that we have to spend more hourly on many due to the additional size requirements of encrypting them.
DominicP260
DominicP260,
 User Rank: Apprentice
5/25/2017 | 12:36:43 PM
This article and the cited report are misleading
This article, and the cited report, suggest that the 82% of unecrpyted databases in the public cloud would suddenly become safe if they were all encrpyed but that's far from the truth. This will only protect the database from an attack vector where the threat actor attempts to steal the DB in its entirety at the filesystem level. If an attack exploids weak DB credentials via an exposed port they will still have full read access to the encrypted DB unless the DB is utililzing field level encryption, which is not even mentioned in this article. The way in which the cited report collected their data is also not very scienctic; the 82% is probably not an accruate reflection of the real number. This article reads more like sponsered content than anything.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file