Skip to main content

Who's watching your data?

Open to the internet

Let's face it, cybersecurity can be a scary business, so what better time of year to highlight the fears of cyber crime than Halloween?

We've all heard the scary stories, read the chilling books, and watched the horror movies where someone is being watched - picture the scene with the creepy guy standing outside the house, looking back in through the window. Most of us close our curtains and lock our windows and doors at night before going to bed, hoping not to encounter the creepy guy. But If we go to great lengths to stop someone peeping into our private lives, or getting into our home, then why don't we do the same with our data; especially our data that's in the cloud. It's scary to think that a lot of data, especially on public clouds is left open to the internet. According to our security market research, nearly 80% of databases in amazon cloud are left unencrypted, of which 30% are open to the internet. The smart hackers who know about this scour these unprotected havens looking for data they can exfiltrate.

We previously covered a story about Booz Allen Hamilton, who recently had a data leak in AWS. Lack of good security controls left their S3 bucket data open to the internet, which resulted in the exfiltration of over 60,000 sensitive files.

Using the Booz Allen Hamilton incident as an example, let's discuss how you would go about implementing the right security controls and detection mechanisms to avoid such a mistake.

Convenience can sometimes lead to insecurity

At the heart of Booz Allen Hamilton's incident investigation is speculation that they traded convenience for security best practices.  Initially creating a S3 bucket is easy. As you can see in screen-shot below, public access is not the default mode and AWS does not recommend making the bucket public.

So why would this happen?  We believe there are 2 main cases for this:

  1. Setting up the bucket before you have all necessary information about who will be accessing it and how they will be expected to access it.  This includes what credentials they will have and what IP address(es) they may be using.  In this case, it may be easier to just make the bucket public and come back to it later.  But, especially for overloaded security folks in large organizations, later will never come.
  2. The business purpose of the bucket changes without the security team’s knowledge.  If you create the bucket believing that nothing sensitive will be stored here, then it needs to stay that way.  If the business use of the bucket changes, the permissions around the bucket should be revisited.

Since AWS does not recommend the use of Access Control Lists (ACLs), users should be creating S3 bucket policies to establish granular permissions around the bucket and its contents.  However, policies can be a little cryptic if you are not familiar with them.  In order to help with this, AWS provides the policy generator tool.  As shown below, this tool makes it easier to select the actions you would like to allow (or deny), specify the resource (a bucket in this case), and the principal.  The “Principal” is the actor to which you are applying the permission.

If you use “*” in the Principal field, this will apply the permission to any unauthenticated user.  So, if you selected the actions of “GetObject” and “ListBucket”, this would essentially allow anybody on the Internet to enumerate and download the contents of the specified S3 bucket.  This may be the most convenient option if you don’t have all relevant data to create a more granular policy.  However, this may not be acceptable exposure for the contents of that S3 bucket, so we recommend gathering the necessary pieces before opening the bucket like this.

Final thoughts

It's very easy to take shortcuts while setting up a S3 bucket in AWS. We saw how impactful this can be, as with the case of Booz Allen Hamilton.  To help prevent this type of incident happening in your environment, we recommend the following:

  • Enable file-level data collection in CloudTrail for your buckets, since it’s not enabled by default.
  • Use granular policies whenever possible.
  • Don't use * for Principal, unless it’s only going to house public data.

In addition, Sift Security's CloudHunter product can help make the job of protecting your S3 bucket data easier.  Some of the functionality we provide out of the box includes:

  • Alert you to ACL and policy changes.
  • Automatically detect when a bucket or object is being exposed to the Internet.
  • Allow you to lock permissions, so the permissions are automatically corrected before unauthorized access happens.

Popular posts from this blog

Sift Security Tools Release for AWS Monitoring - CloudHunter

We are excited to release CloudHunter, a web service similar to AWS CloudTrail that allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:
Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen. At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking events, espec…

Data Exfiltration from AWS S3 Buckets

You will have no doubt heard by now about the recent Booz Allen Hamilton breach that took place on Amazon Web Services – in short, a shocking collection of 60,000 government sensitive files were left on a public S3 bucket (file storage in Amazon Web Services) for all to see. We are all probably too overwhelmed to care, given all the recent breaches we have been hearing about in the news. But with this breach it was different, it involved a trusted and appointed contractor whose job it was to follow security policies, put in place to avoid such incidents. So was this incident accidental or malicious? More, later about the tools we can use to tell the difference between the two. First, lets recap what happened.The IncidentAccording to Gizmodo, the 28GB of data that was leaked not only contained sensitive information on recent government projects, but at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Clearance – meaning anyone who got their h…

Using the Security Event Graph to Drive Alert Prioritization

One of the biggest differentiators at Sift Security is our security event graph: We map security events into a graph database. We then analyze the graph structure to prioritize alerts. Specifically, we look for clusters of interrelated alerts, score the clusters, and surface the clusters to the analyst. The analyst can then investigate each cluster in order, quickly assessing the threat and resolving the alerts in bulk.  
Our algorithms do the important work of sifting through isolated alerts and separating the false alarms and low priority alerts from high priority security incidents. We identify the high priority incidents by analyzing how alerts are related to each other. Key to this approach is our security event graph. This graph is stored in a graph database, a relationship-centric database that enables rapid execution of complex queries that would be very expensive to make in a traditional RDBMS.  The graph structure enables us to rapidly traverse relationships and find interr…