Dear IT security pros: it's time to stop making preventable mistakes

Examining commonalities: shared strategies or mistakes across multiple cybersecurity incidents.

5 fumbling dumb mistake

While helping enterprise IT users improve their cloud security posture, I always like to spend time finding out what common obstacles they are facing.

Their answers always fascinate me, and so I decided to run my own little research project to better understand the patterns behind some of the more preventable cloud security challenges. I took a look at many of the largest security threats the industry encountered in 2017. What I was searching for was commonalities: shared strategies or mistakes across multiple incidents.

This was no easy task. During the past year, hundreds of millions of records were exposed including personally identifiable information (PII), credit cards, usernames and passwords, medical records, confidential emails and documents. Furthermore, it takes an average of about 99 days to discover an IT security breach. This is more than enough time for hackers to create massive damage and steal terabytes of data, especially when attacks are increasingly automated. The worst part is that the costs of these breaches are often paid by an organization's users in some form or another rather than the organization itself.

There are a handful of glaring operational factors contributing to the type of large-scale data breaches that surfaced in 2017. For one, there are too many screens, too many alerts and too few security professionals.

Just think about it – how many log analysis services do you know? They generally all have a nice UI. Same goes for SIEMs. But the confusion comes with the graphic and alert overload – red and green icons telling analysts there are numerous findings that require attention. Security analysts usually don’t know which alerts to start executing on – and it’s hard to determine which alert is of the highest risk and which is just noise because no personnel changed its threshold.

And to make matters worse, once a security analyst has opened an alert to start vetting it, they’re usually too scared to close down wide-open-to-the-internet ports because they don’t know the extent of the impact that will have on the company’s production environment.

As a security advisor, the thing that really irritates me is just how preventable most (if not all) of the 2017 attacks I researched were. Companies like Equifax are not being decimated by unusually savvy hackers, they are being exposed by their own internal mistakes. Most of these errors are straight out of any “Tech Security 101” textbook.

Let's look at a few of these security errors in more detail:

MongoDBs connected to the internet

In 2017, we saw two massive ransomware waves, both aimed at MongoDBs.

Tens of thousands of databases were deleted, including plenty whose owners actually paid the demanded ransom.

MongoDB is one of the most commonly implemented NoSQL databases in the market. Its users include technology mega-giants like Facebook and Google. The amount of data lost in these breaches is staggering. What's even more staggering is just how exposed these databases were to the public internet. The final atrocity is that most of the databases did not have adequate backups.

You’d think IT managers would learn from the mistakes of others and start implementing the proper protocols to protect against these preventable mistakes. But if you assumed that, you'd be wrong. Right now, I can look at an environment monitoring screen and see more than 17,000 MongoDBs that have a public IP address and NO PASSWORD.

S3 buckets open to the world

INSCOM (Intelligence and Security Command), Accenture, Deloitte, Verizon and many more, left S3 buckets widely open to the internet last year. This enables anyone who discovers them to freely download data from them. And unfortunately, those open buckers were discovered on numerous occasions.

All kinds of files were found in these vulnerable buckets, including documents, research, emails, user data and much more. Some of these buckets were found by private security companies who alerted the bucket owners, but no one can say for certain if they were previously accessed by less honorable actors. If a bucket is exposed for even a moment, organizations must live with the possibility that data could potentially be collected and sold in some DarkNet forum or used for extortion down the road.

Passwords and credentials left unprotected

More often than not, software developers are not prioritizing security.

The most common place for unprotected credentials is a code repository like GitHub. Passwords on accounts won't stop malicious actors from gaining access and reverse engineering their way into a system.

Hundreds of millions of passwords have been leaked in the past few years. Once obtained, they are used by hacker bots to brute force their way into apps and services. Once they gain access, they start to crawl. Through crawling, these bots find even more passwords and keys hidden in the code.

An attack like this could result in data leakage or resource abuse by hacker groups. Don't believe me? Just ask Uber.

Uber was attacked in this same fashion back in 2016. They didn't disclose it to the public until November 2017. The private data of 57 million drivers and users was leaked. The hackers received $100K from Uber for deleting this data. Uber tried to hide the payoff as a bug bounty. At the end of the day, the consumer and end-users deserve better security standards and truthful disclosures.

But what can we learn from these incidents? These are the five big takeaways:

1. Backup, backup, backup

Do it often, enough so that losing the difference between the last backup and the current work environment is negligible.

2. Encrypt your data

Put that encryption key somewhere hidden. Now, if anyone manages to get a hold of your data, it’ll be useless to them.

3. Restrict access to/from the internet

Limit access to assets like MongoDB data bases and S3 buckets. Access to organization assets should always go through a designated asset like a bastion server or another asset that has a well-managed routing table with strict firewall rules.

4. Passwords, passwords everywhere

Your organization needs a password policy. A good password should be: strong, random, unique and should not exist in the dictionary.

You should also refrain from using a root user for anything at all. Always create users and grant them only the privileges they need for everyday work.

5. Automated detection system

There are different solutions at different qualities using different technologies to find security holes. Computers can identify patterns human security pros don’t even know of and therefore can’t actively search for. Use the power of AI to enhance your team’s security skills.

These are not advanced concepts, yet we see even technically sophisticated organizations failing to implement them. It's time to put a stop to preventable mistakes. The power is yours.

Copyright © 2018 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.