Getting Safe, Smart & Secure on S3*:
- AWS Simple Storage Service has proven to be a security minefield. It doesn't have to be if you pay attention to people, process, and technology.
- Several recent data breaches – Accenture, Walmart, Experian, FedEx – have come about as a result of a misconfigured open S3 (Amazon Web Services’ Simple Storage) container.
- The default configuration for S3 is closed to the public Internet. In that configuration, it's reasonably secure.
- But it's actually very easy to misconfigure S3 in such a way that it's left world-readable (or even writable!).
- Public cloud relies on the "shared responsibility" model, which delineates what vendors and users are responsible for regarding security.
- According to this model, cloud vendors are responsible for the security of the cloud itself, and users are responsible for the security of what’s in it.
- This means that any public cloud provider, when faced with a breach of a customer's data, is going to claim the customer was ultimately responsible for the security of the applications and data.
- Claiming responsibility for only the security of the cloud itself is close to declaring blanket immunity.
- Still, there are some real, practical things you can do on three fronts that will make an actual difference in your security posture as it relates to S3 and the public cloud.
- People: The Magical Unicorn
- There's a shortage of cloud talent, a shortage of security talent, and cloud security talent is basically a magical unicorn.
- The bottom line: Stop trying to hire magical unicorns and start creating them.
- Create centers of excellence for cloud security and spend the hours and training dollars to make them leaders.
- Process: Effectively Deploying the Magical Unicorn
- The truth is that magical unicorns aren't going to secure your enterprise if you don't have the processes in place to understand your attack surface at scale.
- In the cloud, understanding your attack surface is even harder because it's so easy and cheap to spin up instances.
- So, when it comes to the cloud, including cloud storage like S3, organizations need to implement processes that control who can spin up instances, create the documentation required to do so, and then put in place audit procedures to make sure those rules are followed.
- Technology: Putting the Horn on the Horse
- Sometimes the only difference between a horse and a magical unicorn is the technology backing them up.
- In cloud security, the right technology can put the horn on the horse, so to speak, accelerating the transformation from IT pro to cloud security expert.
- Cloud vendor security tools often fall short of achieving this outcome.
- Providers like AWS and Azure give you security monitoring tools, but those mostly produce a sea of data points for human experts to make sense of.
- While cloud providers offer the bare minimum, many third-party vendors are working to address this challenge.
- Common feature sets among these vendors include the ability to continuously monitor and update as cloud instances get spun up and down (so you know what your attack surface actually is), as well as tracking the traffic patterns of S3 data to surface potentially problematic activity.
- S3 has proven to be a security minefield, but it doesn't have to be – cloud security is an emerging field, presenting an opportunity for smart organizations to lead the way.
*Source: Dark Reading, July 12, 2018
Facebook Faces Australia Data Breach Compensation Claim*:
- Facebook could face a hefty compensation bill in Australia after a leading litigation funder lodged a complaint with the country's privacy regulator over users' personal data shared with a British political consultancy.
- The social networking giant admitted in April the data of up to 87 million people worldwide, including more than 300,000 in Australia, was harvested by Cambridge Analytica.
- Under Australian law, all organisations must take "reasonable steps" to ensure personal information is held securely and IMF Bentham has teamed up with a major law firm to lodge a complaint with the Office of the Australian Information Commissioner (OAIO)
- The OAIO launched an investigation into the alleged breaches in April and depending on its outcome, a class action could follow.
- IMF said it was seeking “compensation for Facebook users arising from Facebook's alleged breaches of the Australian Privacy Principles contained in the Privacy Act 1988.”
- The alleged breaches surround the circumstances in which a third party, Cambridge Analytica, gained unauthorised access to users' profiles and information.
- The complaint seeks financial recompense for the unauthorised access to, and use of, their personal data.
- Facebook said, “We are fully cooperating with the investigation currently underway by the Australian Privacy Commissioner.”
*Source: Deccan Herald, July 11, 2018
Ticketmaster Data Theft Part of Large Credit Card Schema*:
- The data breach that Ticketmaster revealed in June is part of a larger credit card-skimming operation that has hit more than 800 e-commerce sites across the internet, according to a cybersecurity firm.
- Hackers were able to penetrate InBenta Technologies, a firm that works with Ticketmaster; Ticketmaster itself wasn’t breached.
- By going through InBenta, the hacking group known as Magecart was able to access payment information.
- Magecart used a similar strategy on many other websites, meaning it could have stolen the credit card information of thousands of people on various websites by targeting only a few companies.
- The change indicates that they seem to have gotten smarter; rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer.
- In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.
- The cybersecurity firm said it had now "identified nearly 100 top-tier victims, mainly online shops of some of the largest brands in the world."
- Ticketmaster originally announced that the breach had affected only four of its websites from February to June 23, but the report listed as many as 17 different Ticketmaster websites over a greater period.
- Magecart is a threat on the same or greater scale as the recent data breach of Target where “point-of-sale systems” were compromised.
- The cybersecurity company also found that the hackers had such extensive access to third-party companies' systems that they could leave messages or threats for administrators that tried to remove the code that allowed them to take credit card information.
*Source: NBC News, July 10, 2018
While Everyone was Focused on GDPR, the NIS Directive Snuck in Through the Back Door*:
- As we’ve seen from recent cyberattacks like WannaCry and NotPetya, attacks on critical infrastructure can have a devastating impact on industrial production and quarterly profits.
- Additionally, targeted cyberattacks that compromise large-scale cyber-physical systems can cause catastrophic safety failures, environment damage, and even loss of life.
- The growing number and sophistication of malicious cyberattacks on critical infrastructure have led European Union (EU) legislators to adopt the Network and Information Security (NIS) Directive (NISD).
- The new directive requires companies from critical infrastructure sectors to adopt specific technical and organizational measures to manage threats to their networks and information systems.
- While the EU’s General Data Protection Regulation (GDPR) is a privacy directive focused on organizations that collect personal data, the NIS Directive is focused on strengthening resilience for providers of critical infrastructure services.
- In particular, NISD applies to organizations that provide “essential services” in critical infrastructure sectors such as energy, transport, banking & financial, water, health sector, and digital infrastructure (ISPs, DNS providers, etc.).
- Like GDPR, NISD imposes substantial financial penalties for non-compliance.
- The NIS Directive applies to all EU member states in its entirety; each member state will decide on penalties and deadlines.
- Although this is an EU directive, many companies throughout the United States will also be affected as many organizations have global operations with plants worldwide.
- The NIS Directive also sets a compelling precedent that US companies should consider following voluntarily, even if they are not currently legally bound by the Directive’s requirements.
- As attacks on critical infrastructure rise in number and severity, the likelihood of the US government adopting similar legislation grows.
- US entities can stave off the disruption of new regulations and protect their production assets by adhering to the requirements of the NIS Directive now.
- Key Technical Requirements: The NIS Directive stipulates that affected operators of essential services (OESs) and digital service providers (DSPs) must have in place, among other requirements:
- An understanding of their assets and a mechanism to identify unknown devices
- A mature vulnerability management program
- Mature threat detection systems, including detecting, identifying, and reporting capabilities
- Effective incident reporting mechanisms, including systems to record and report incidents within 72 hours of detection
- Mature incident management
- Response and recovery plans
- Key Organizational Requirements:
- Governance: Organizations must have appropriate management policies and processes in place to govern their approach to the security of network and information systems.
- Risk Management Process: Companies must take appropriate steps to identify, assess, and understand security risks to the network and information systems in relation to the delivery of essential services.
- Supply Chain: Companies must understand and manage security risks to networks and information systems that support the delivery of essential services that arise because of dependencies on external suppliers, including ensuring that appropriate measures are employed where third party services are used.
- Staff Awareness & Training: Employees and staff must have appropriate awareness, knowledge, and skills to carry out their roles effectively when it concerns the security of the network and information systems supporting the delivery of services.
- While it will take time to achieve full NIS Directive compliance, there is still time for companies to get started on the right path with protecting their organization for the long run.
- Addressing the NIS Directive will require a multi-layered active cyber defense strategy incorporating modern security controls such as OT asset management, vulnerability management, threat modeling, and behavioural anomaly detection.
*Source: Venture Beat, July 9, 2018
Timehop Discloses July 4 Data Breach Affecting 21 Million*:
- Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base).
- Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.
- Timehop says it discovered the attack while it was in progress, and was able to shut it down about two hours later.
- According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December, using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.
- Timehop says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.
- However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.
- If you have noticed any content not loading, it is because Timehop deactivated these proactively, there is no evidence that any accounts were accessed without authorization.
- Timehop stated, “the damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service.”
- In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.
- Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”.
- Timehop went on to explain, “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.”
- Users are being notified of the breach as they log back into the app.
*Source: Tech Crunch, July 10, 2018