Sift Security Blog Who's watching your data?

Open to the internetLet's face it, cybersecurity can be a scary business, so what better time of year to highlight the fears of cyber crime than Halloween?We've all heard the scary stories, read the chilling books, and watched the horror movies where someone is being watched - picture the scene with the creepy guy standing outside the house, looking back in through the window. Most of us close our curtains and lock our windows and doors at night before going to bed, hoping not to encounter the creepy guy. But If we go to great lengths to stop someone peeping into our private lives, or getting into our home, then why don't we do the same with our data; especially our data that's in the cloud. It's scary to think that a lot of data, especially on public clouds is left open to the internet. According to our security market research, nearly 80% of databases in amazon cloud are left unencrypted, of which 30% are open to the internet. The smart hackers who know about this scour these unprotected havens looking for data they can exfiltrate.We previously covered a story about Booz Allen Hamilton, who recently had a data leak in AWS. Lack of good security controls left their S3 bucket data open to the internet, which resulted in the exfiltration of over 60,000 sensitive files.Using the Booz Allen Hamilton incident as an example, let's discuss how you would go about implementing the right security controls and detection mechanisms to avoid such a mistake.Convenience can sometimes lead to insecurityAt the heart of Booz Allen Hamilton's incident investigation is speculation that they traded convenience for security best practices. Initially creating a S3 bucket is easy. As you can see in screen-shot below, public access is not the default mode and AWS does not recommend making the bucket public.So why would this happen? We believe there are 2 main cases for this:Setting up the bucket before you have all necessary information about who will be accessing it and how they will be expected to access it. This includes what credentials they will have and what IP address(es) they may be using. In this case, it may be easier to just make the bucket public and come back to it later. But, especially for overloaded security folks in large organizations, later will never come.The business purpose of the bucket changes without the security team's knowledge. If you create the bucket believing that nothing sensitive will be stored here, then it needs to stay that way. If the business use of the bucket changes, the permissions around the bucket should be revisited.Since AWS does not recommend the use of Access Control Lists (ACLs), users should be creating S3 bucket policies to establish granular permissions around the bucket and its contents. However, policies can be a little cryptic if you are not familiar with them. In order to help with this, AWS provides the policy generator tool. As shown below, this tool makes it easier to select the actions you would like to allow (or deny), specify the resource (a bucket in this case), and the principal. The "Principal" is the actor to which you are applying the permission.If you use "*" in the Principal field, this will apply the permission to any unauthenticated user. So, if you selected the actions of "GetObject" and "ListBucket", this would essentially allow anybody on the Internet to enumerate and download the contents of the specified S3 bucket. This may be the most convenient option if you don't have all relevant data to create a more granular policy. However, this may not be acceptable exposure for the contents of that S3 bucket, so we recommend gathering the necessary pieces before opening the bucket like this.Final thoughtsIt's very easy to take shortcuts while setting up a S3 bucket in AWS. We saw how impactful this can be, as with the case of Booz Allen Hamilton. To help prevent this type of incident happening in your environment, we recommend the following:Enable file-level data collection in CloudTrail for your buckets, since it's not enabled by default.Use granular policies whenever possible.Don't use * for Principal, unless it's only going to house public data.In addition, Sift Security's CloudHunter product can help make the job of protecting your S3 bucket data easier. Some of the functionality we provide out of the box includes:Alert you to ACL and policy changes.Automatically detect when a bucket or object is being exposed to the Internet.Allow you to lock permissions, so the permissions are automatically corrected before unauthorized access happens.