Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
7/25/2017
09:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Lessons from Verizon: Managing Cloud Security for Partners

The recent Verizon breach - data exposed by an insecure Amazon S3 bucket - highlights the need for enterprises to have visibility into how partners and other stakeholders keep their data secure.

Even organizations that operate with an enlightened security mindset are most likely focused on their own domain. They are certainly very aware that their data travels and is transacted beyond their corporate walls, but few actively audit how it’s handled by third-parties on a daily basis. The recent discovery that a Verizon partner left an Amazon S3 bucket inadvertently unsecured, thus exposing sensitive Verizon customer information, highlights the need for enterprises to have visibility into how partners and other stakeholders keep their data secure.

The story is becoming part of a recurring theme, but the magnitude of this potential breach was staggering. Verizon partner Nice Systems logged customer files that contained sensitive and personal information (including customer names, corresponding cell phone numbers, and specific account PINs) on an Amazon S3 bucket. For reasons unknown, that bucket was left unsecured, thus exposing more than 14 million Verizon customer records to anyone who discovered the bucket. Security experts have suggested that this level and type of exposure can ultimately result in account takeovers through phone number hijacking. With access to the vulnerable data, hackers could break into customers’ email and social media accounts, even for those using multi-factor authentication. The situation was fixed (after six days of round-the-clock remediation), but the exposure could have led to extreme consequences.

While Nice Systems surely had permission to log and access these files per agreement with Verizon (and, we're guessing, through approval of customers), the company clearly was not acting in a way that Verizon would approve. As a Verizon spokesperson said, “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

Ultimately, Verizon is taking the hit for this, as is the case when any big brand is implicated. I was recently in a large meeting where I asked for a show of hands from people familiar with the "Verizon breach." Every hand in the room shot up. I then asked who had heard of Nice Systems. A PR guy who spends his days glued to news sites was the lone hand-raiser. The point is, visibility into how your data is being used, and ensuring adherence to policies you use within your own corporate infrastructure must be maintained by all who have permission to touch your data. And in the end, it's your job to make sure it's being enforced.

Let's be clear; people make mistakes, and busy, multitasking people make more than they should. Is that okay? Well, it has to be, because humans are not infallible. But make no mistake; this very same scenario is definitely — and I guarantee this within 100% accuracy — happening to a company with whom you have a relationship. It may very well be happening within your own organization.

There are two unassailable factors that make the lives of CISOs difficult: 1) IT infrastructures have a massive, and endlessly growing, number of potential attack points; and 2) humans screw up sometimes. Yet, even knowing all of this, we feel secure enough to hope that checklists and quarterly audits will keep our data protected. We even act surprised when an entry point to our network is discovered or access to a server was inadvertently made public. We also expect partners to operate according to the same rules we enforce for ourselves.

So the Verizon breach should be a wakeup call to companies that share PII, shopping cart data, and customer service data with external vendors or third parties. Do you know what precautions they take to ensure that the data is secure? Are you certain that partners are continuously monitoring their environments to ensure that mistakes aren’t made leaving customer data open to the world?

Really, this isn’t anything different from what we’ve thought about in security for the last couple of decades. But because of the cloud, the faster pace of change in modern IT environments, and automation of everything (including attacks), we need to step up our game.  We need to be continuously vigilant and understand how automation and continuous monitoring can replace an imperfect reliance on human behavior. The entire nature of the cloud, and the advantages that we gain from the cloud are simultaneously those things that put us at risk. APIs that transact data among multiple apps allow us to deliver a more customized experience to users, but that relies on sharing of data. We will all claim we only share with trusted sources, but technology isn’t static. It engages, moves, and is transacted in nanoseconds at the behest of developers tasked with solving technology and business issues. It’s fast and agile and if we don’t act the same way we lose our competitive advantage. We also must rely on the interaction with partners, customers, and other stakeholders in order to deliver what customers want. Hasn’t the time come to get a handle on how we protect our data and our people?

Verizon and its customers are just fine. It is a company that’s built a solid reputation on quality, value, and now, security. The company and its partners got a wakeup call, and that will be helpful in the long run. We should see this as an opportunity to ask ourselves if we have the stomach to operate on a loose strategy of hoping for the best. That won't be enough, and we must ensure that rigorous and appropriate security is applied wherever our data resides.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24860
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
CVE-2020-24861
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
CVE-2020-25990
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.