Open Invitation to Hackers: Misconfigured Cloud Servers
Written by: Black Kite
Many companies use cloud servers to store their data. Despite their great advantage, misconfigured servers may expose sensitive data, a mistake which is an open invitation to hackers to dump and use a company’s data for their malicious activities.
How is it possible?
4th party service providers, such as cloud storage providers, improve their cyber resilience as much as possible. They publish best practices on how to use their cloud services and provide options to keep the data public or private, a feature configured by companies who accommodate cloud servers. Any misconfiguration may expose data to the public and first ones notice these exposed data would be hackers and hacktivists. It is no wonder that Security Misconfiguration is #6 in OWASP Top 10.
The following three events occurred in the month of August may give hints about what may happen.
- A misconfigured Amazon S3 bucket expose GoDaddy’s critical data on 31,000 GoDaddy servers including architectural details about GoDaddy, high-level configuration information of many systems and pricing facilities for operating those systems such as the discounts offered to customers.
- A cloud data storage contractor for Universal Music Group, Agilisium, created two unprotected instances of the Apache Airflow server that exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords, the internal and SQL root password to the open internet.
- Honda Car India’s two public unsecured AWS storage sets contained names, phone numbers and emails for both users and their trusted contacts, passwords, gender, information about their cars including VIN, Connect IDs and more. All these sensitive data on these misconfigured servers exposed to public for more than a year.
A short list of common misconfigurations
- Use of factory default system credentials (username/passwords)
- Directory and file listings that are not disabled and easily available through search engines
- Some user traces may have too much information such as pages returned to users with error messages
- Leaving some unnecessary pages such as sample apps, old privileges, and user accounts
- not up-to-date software, use of legacy systems, not up-to-date patches.
Simple steps to prevent misconfigured data
- Discover all your 3rd and 4th party service providers and cloud storage servers that your company use.
- Check for misconfiguration of cloud storage servers
- Monitor cyber risk of your 3rd and 4th party providers.
- Regularly check Intrusion Detection System (IDS) logs and consider host-based IDS rather than network-based IDS to examine events on host-level
- Increase the cyber security awareness of your employees and regularly check for leaked credentials.
- Create an agilent patch management procedure. For that reason, use tools such as Black Kite Cyber Risk Scorecards that gives your cyber security posture in Patch Management (among 19 other categories).