CloudGovCo

This week we are offering a free eBook on developing a governance framework for cloud computing. (Link at the end.)

Cloud computing is central to digital transformation. It enables organizations to procure their IT on-demand and as-a-service, scaling up and down as required. But cloud is complex and challenging. And services are often procured ad hoc with no oversight or synergy. This eBook presents an oversight framework for the IT cloud based on five basic governance principles, and Agile and Lean practices. It doesn’t recommend but does show how to use bimodal means to leverage existing processes and map cloud governance to classical IT project governance that uses phase gates. The framework is based on best industry practices, and is mature with >60 checklists to ensure a practical and effective governance process. It will be challenging to adopt in organizations wedded to linear thinking and/or a classical waterfall environment for projects. In many cases organizations will try to redefine new and better practices so they fit into existing models of processes and cultural behaviour. https://cloudgovco.com/wp-content/uploads/2019/02/cloudGovernanceFramework.pdf

The Coronavirus is wreaking havoc on everything in our lives. It’s hard to find something that hasn’t been impacted in a major way as we attempt to limit the spread of the virus. Cloud security professionals should pay close attention to how our online needs are rapidly changing — these new adjustments are more than just necessary to make things work in the interim. The workarounds to keep our lives as normal as possible could permanently define the way we work, study, and do business from here on out.  

At Nightfall we put together a list of eight ways COVID-19 is making an impact on common things we use and interact with every day. A main takeaway should be that none of these are new problems, just that COVID-19 is shining a light on them. And in most cases, making these problems even worse.       

#1: Schools are struggling to adapt to remote instruction and facing vulnerabilities brought on by COVID

Distance learning is putting a strain on security as schools scramble to protect student data

The issue: School districts in the United States typically face big challenges with cybersecurity and protecting student data. This is often due to a lack of funding and/or allocated resources for an IT team to keep up with the district’s security needs. Accidental sources of data leaks like misconfigured systems or unsecured third- and fourth-party vendors leave school districts at high risk of security breaches in school districts.  

Wired Magazine reported on how the pandemic is amplifying these risks with the massive rush to transition to distance learning in the spring. Suddenly, millions of teachers and students relied on video chat software, lesson portals, digital message boards, and other online tools. The goal is to retain education continuity for students, but security is often an afterthought in the haste to get virtual learning resources online.  

Impact on cloud security: Many of the most popular online education resources, like Zoom, can easily become an attack vector without proper authentication and controls setup. Remote tools like VPNs that connect students to teachers and resources are also high-risk. At the end of June, the Federal Bureau of Investigation issued a security alert about the threat of ransomware to schools amidst the Covid-19 crisis. “K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks,” the FBI warned, according to a ZDNet report.  

In the month of June alone, Wired reported more than 4.7 million malware incidents were detected in the education industry broadly worldwide, according to Microsoft’s Global Threat Activity tracker — more than 60% of all the corporate and institutional malware incidents reported during that time.   

As schools across the world gear up to get back to learning in the fall, it’s clear that cybersecurity should be a top priority to ensure data safety for students and business continuity for the educational institutions.

#2: Social engineering hacks are increasing by feeding on the fear of the virus and misinformation

Social engineering hacks are on the rise thanks to vulnerabilities caused by COVID-19

The issue: Social engineering hacks have always been a thorn in the side of IT departments. During times of crisis, users will rush to resources to stay informed and connected. COVID-19 has created the perfect environment for scams: the increased demand for accurate information on health and safety and government mandates has led to the explosion of misinformation about the outbreak, often coming from websites that spread malware or from other unsecured resources.  

Everyone is more dependent on the Internet now — and many of the most used platforms and apps operate in the cloud. Users face challenges almost every day, with increased DDoS attacks on public-sector websites, phishing attempts, and other threats cloaked as legitimate COVID-19 information. It’s getting harder to separate the noise from the truth. Global crises like COVID-19 easily dismantle cybersecurity standards because they put a tremendous strain on resources and increase stress and anxiety among the end users. When defenses are down, social engineering attacks go up.  

Impact on cloud security: InfoWorld reported that cyberattacks have spiked during the first half of 2020. The FBI noted that as of May 28, it had received nearly the same number of complaints for this calendar year as for all of 2019. Social distancing is highly encouraged to help stop the spread of the virus. As we remain apart, we seek out more ways to stay connected. Increasingly, this means we’re communicating in the cloud — and the cloud isn’t the safest place by default. Protecting personally identifiable information (PII) is essential. IT teams must find ways to balance access to cloud systems and apps with strong security measures.      

#3: SMBs are increased risk of compromising their cloud systems with COVID-19

Small businesses are at increased risk of cybersecurity incidents with strained budgets, especially with COVID

The issue: Small and medium-sized businesses (SMBs) typically struggle with huge technical debt, especially when it comes to cybersecurity. Running a small business means every penny counts. In many budgets, tech and cybersecurity don’t have a line item. Security Magazine reported that in December 2019, 64% of small businesses said they were planning to devote more resources to cybersecurity in 2020. But in the wake of COVID-19 and the economic downturn, these planned improvements are likely to be deprioritized.   

Impact on cloud security: The report in Security Magazine polled 383 SMB owners and managers and found that 15% experienced a major security event in 2019:  

• 7% were hacked
• 5% dealt with a virus
• 3% suffered a data breach 

SMBs moving their operations online means they bring their cybersecurity threats with them. All their attack vectors can quickly become vectors for other users if they connect to cloud apps. A strained budget that can’t support proper cloud security measures puts everyone in danger. It’s a difficult balance for SMBs who are seeking to keep their businesses afloat.      

#4: Tracking apps rushed to market pose high risk of getting hacked 

Contact tracing is still a new feature in the fight against COVID-19 — meaning security isn’t always put first

The issue: One solution to reintegrating employees back into offices and other workplaces is contact tracing apps. It’s one way to track who an infected person may have had contact with, and thus reduce the risk of spreading infection into the workplace. The problem with these apps is that they’re relatively new and have been rushed to market, leaving them open to hacks and other data leaks.   

The lack of security oversight was exposed in May, when the state of North Dakota conceded that its smartphone app, Care19, had been sending users’ location data to the digital marketing service Foursquare. Qatar’s national COVID-19 tracking app had a flaw with the most dire potential consequences: it would have allowed hackers to obtain sensitive information on more than one million users, including their names, national IDs, health status, and location data.  

Impact on cloud security: The big hurry to push the apps to market led to these and many other problems. After an app in the Netherlands exposed about 200 people’s names, email addresses and encrypted passwords, one of its co-developers said the breach was due to a rush to publicly release the app’s code.   

“The speed and scale transitioned at such a rate that they didn’t really consider security in the beginning,” said Kelvin Coleman, executive director of the National Cyber Security Alliance. “It was a topic for them, but not top of mind.”

#5: COVID-19 is straining healthcare budgets and IT resources

Healthcare IT departments are under more stress than ever

The issue: Coronavirus is surging across the U.S., with more cases confirmed and more hospitalizations reported every day. Healthcare resources everywhere are being pushed to the limit, from available hospital beds to a lack of personal protective equipment for medical professionals. As with the other industries and sectors on this list impacted by COVID-19, healthcare IT is also facing strained budgets and resources, leaving these IT departments at higher risk of a breach or cyberattack.  

Healthcare Finance News cited a Department of Health and Human Services report from June on the increase in cybersecurity breaches in hospitals and healthcare providers’ networks which may be due to COVID-19. Between the months of February and May of this year, there have been 132 reported breaches, according to the HHS. This is an almost 50% increase in reported breaches during the same time last year.  

Impact on cloud security: A lack of security oversight and rushed cloud adoption is the main contributor to the increased risk. Remote healthcare relies on apps and portals, which may not be up to required security standards. Data leaks and other vulnerabilities can spill massive amounts of protected health information (PHI) outside the organization. Temporary medical facilities are essential in the fight against COVID-19, but these were created with patient care and treatment in mind. Cybersecurity was not part of the plan in the coronavirus response. Any unsecured access point in the healthcare chain can have devastating security impact.  

“The healthcare industry has, in the past few years, been one of the most targeted industries for cybercriminals. So it’s only natural that at a time of crisis, we are seeing more and more attacks on the healthcare industry,” said Natali Tshuva, CEO and cofounder of Sternum, an IoT cybersecurity company that provides medical device manufacturers with built-in security solutions.

#6: Remote work puts more cybersecurity responsibility on end users

Many of us are working from home these days — what are the costs of data security?

The issue: Working from home has become the new norm for many, especially in the tech industry. This shift to remote work was borne out of necessity to slow the spread of COVID-19, but the reported increase in productivity among workers and potential reduced operating costs for organizations may extend these privileges well beyond the pandemic.  

Unfortunately, current work from home policies don’t always include tight security controls for ender users. Security Magazine reports 56% of employees are using their personal computers as their company’s go remote in response to COVID-19, and nearly 25% of employees working from home don’t know what security protocols are in place on their device.  

Impact on cloud security: More organizations are turning to chat and collaboration apps like Slack and Microsoft Teams. According to the Security Magazine report, 20% of workers said their IT team had not provided any tips as they shifted to working from home, and workers acknowledged they were the least cautious in using these types of services.   

The onus is to keep data and systems secure has shifted to the end user, but without proper security tools in place, the integrity of entire cloud systems is at risk. Remote workers need support from their IT departments to make security a priority every day.

#7: COVID increases security risks for the fintech industry 

Banking and finance cybersecurity firms are on higher alert due to the pandemic

The issue: The healthcare industry, fintech is suffering increased security risks from COVID-19. Reduced budgets and staffing due to the economic downturn have stretched the capacity of IT teams in this industry, with a 238% surge in cyberattacks against banks, new research claims since the pandemic began.  

According to the third edition of the Modern Bank Heists report from VMware Carbon Black, which includes input from 25 CIOS at major financial institutions, 80% of firms have experienced more cyberattacks over the past 12 months, an increase of 13% year-over-year. 

Impact on cloud security: The Modern Bank Heists report shows that 27% of all cyberattacks target either banks or the healthcare sector. These industries share a lot of the same indicators: similar detectors (PII data is used in both), strict government and industry regulations (like HIPAA or GLBA), and massive stakes in a cybersecurity breach.   

Leaked bank or health records can lead to massive exposure liability for an organization. As more systems are being backed up in the cloud, fintech companies must strengthen their data controls to prevent business-critical PII from improper access and exposure.       

#8: Incredibly high demand for online shopping strains e-commerce and shipping security

Online shopping is easing some of the pain of isolation, but demand for fast shipping and in-stock products is giving scammers more room to operate

The issue: Shipping for e-commerce orders is impacted due to increasingly high demand of online orders. It’s safer for our health to stay home and shop on our computers and mobile devices — but how does this shift impact cybersecurity?   

For shipping providers and e-commerce businesses, the goal is to sell more items and ship more packages, all at a faster rate. Security takes a backseat to the goals that drive revenue for these companies. The pandemic has upended global delivery systems as countries close their borders and companies reduce their workforces. Estimates from Facteus say consumer spending on Amazon is up 35% compared with last year.  

Impact on cloud security: COVID has touched e-commerce cybersecurity as well. The increase in delivery demand has allowed phishing emails scams to thrive. As customers turn to more websites to fill their need for groceries, medication, and other essentials, they put more of their data out into the world. A well-meaning employee could be using their cloud-connected work computer or device to place an online order, unaware of the possible data exfiltration danger lurking on untrusted sites. All it takes it one order on an unsecured site for sensitive data to be exposed.       

Curtailing COVID cybersecurity challenges

Maintaining business and security continuity during a global pandemic is a tough task. Many of us are already taxed and tired from the everyday stress of dealing with uncertain times. Cybersecurity should be a priority for all teams, in all industries. By relying on automated DLP solutions like Nightfall, your organization can relieve some of the pressure of keeping data safe. More focus on security is just good business sense.

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.

#CloudServices bring new administrative challenges because of the flexibility and complexity in pricing models. Without good administrative practices #CloudCosts can escalate quickly in excess of budgeted operational expenses. Key industry practices are:

• Continuous cost optimization
• Trend usage patterns overall
• Decompose usage down to a region, availability zone, project or service team
• Make informed decisions about acquisition of reserved instances
• Make informed decisions about the allocation or reallocation of cloud resources

A #CostContainment policy describes automation goals for cost control in the #Cloud.

• Shutdown development workloads after hours
• Rightsize instances
• Require tags to assign costs
• Use specific expiration dates
• Eliminate inactive storage
• Comply with software licences
• Use instance sizes/types allowed by the organization
• Use discounts (claim them)
• Use lowest-cost cloud where feasible
• Use lowest-cost regions
• Understand data retrieval and export charges

There is a use case for a warm site if your organization can withstand a short business interruption from several days to a week. This is the time it will take to make the site fully operational, establish connectivity and transport and ingest data backups.

The warm site should have sufficient distance from the main site to have separate earthquake zones, power grids, water supplies, telephone central offices, etc. A rule of thumb is 50 miles minimum separation.

Using the Cloud

The cloud could serve as a warm site if you can meet several requirements:

• A means of transferring large volumes of backup data to the cloud
• A plan for client desktops to gain access, log on and authenticate

This is the best case for disaster recovery in the cloud, and we will explore this hybrid-cloud pattern more in other modules.

[Re-scheduled from an earlier missed deadline.]

2020-10-16 Forgive my anger but Covid is bad enough without a bunch of self-important epidemiologists and public health scientists issuing the Great Barringto Declaration calling for herd immunity.

They argue vulnerable people should be isolated for six months like medieval anchorites while everyone else is left to get sick and some to die. Eventually we will have herd immunity and Covid will burn itself out like the flu. This is the argument used by populists like Donald Trump and Rishi Sunak who say we must “learn to live” with the virus “and live without fear”,

Oh. Wait. There is no global immunity to the flu.

[Technical Note: the flu is an influenza virus and Covid-19 is a Coronavirus like SARS and MERS.]

Before I go on against this madness, Neil O’Brien, writing in the UK right-wing newspaper The Telegraph, has crunched the numbers and shown how utter imbecilic this is.

The Declaration gives no hint of how we might push food through the letterbox for these Covid anchorites, or what happens if herd immunity is not achieved in six months or people get re-infected.

The American Institute for Economic Research (AIER), where the declaration was signed, is a libertarian think-tank committed to “pure freedom” and wanting to see the “role of government … sharply confined”.

Don’t get infected yourself by fake science like this. Push back when you encounter people who believe this stuff.

Hybrid project management methods merging waterfall and agile on larger projects are becoming common, as people struggle with resistance to wholesale change.

This is not very effective.

There are two main issues:

1. The waterfall process will always be the longer pole, so projects will not take less time. Activities in a phase such as Development might be agile, but they are still working to a waterfall milestone and phase gate.

This doe not improve time to launch. Time to launch is the most important KPI because it incorporates all cost factors. (We used to use time to market for the same reason.)

Research has shown that the cost of time is greater than the cost of effort, so project methods with concurrent activities are best because they minimize time.

2. The second problem is that Agile methods don’t scale. Large projects cannot be chunked successfully across a large number of agile teams. Putting aside administrative issues, the core problem is the train wreck of managing the many code branches and merging back into the main trunk.

Note that CI/CD pipelines do not use branching.  (They can but they shouldn’t.)

Research is also finding that an over-reliance on Agile can impose a 20% non-productive burden. Critical Chain method (not critical path) can be better. Six Sigma Lean/Kanban is perhaps best.

A counter-intuitive method is shown in the attached graphic from a presentation I did last year. This was developed by Toyota. Instead of using early start date as you would in critical path method, it uses the late start date, which is more like Critical Chain method. This pushes all activities up against the project deadline, with no slack time or buffers between activities. Everything is on the critical path.

This goes against everything project managers (PM) are  taught. PMs try to keep things off the critical path.

However, Toyota puts a buffer at the end of the project; thus guaranteeing finish on schedule. In the best cases this will give an early delivery for the project. Russian defence projects are successfully delivering on Finish Before Planned.

The big advantage is that the Lean Kanban method shown in the graphic defines requirements as late as possible, so they reflect the latest needs, and the project uses the most recent technology, so it is efficient. It also reduces change orders.

It is also massively parallel (concurrent) so it reduces time to launch, thus providing faster feedback and releasing people for other projects. Because it’s parallel it uses multi-discipline project teams, which are usually more innovative and goal driven.

A lot of this has been known in continuous improvement process for decades, but it hasn’t trickled into project management. Concurrent development, for example, emerged in Japan in the 1990s. Waterfall, developed in the 1950s for the USA military, has really acculturated people to linear step-1 step-2 thinking.

At its worst, people think they can’t plan step 2 until they complete step 1. It also infects Agile developers who can’t estimate work until they have completed it.

Data loss prevention (DLP) is one of the most important tools that enterprises have to protect themselves from modern security threats like data exfiltration, data leakage, and other types of sensitive data and secrets exposure. Many organizations seem to understand this, with the DLP market expected to grow worldwide in the coming years. However, not all approaches to DLP are created equal. DLP solutions can vary in the scope of remediation options they provide as well as the security layers that they apply to. Traditionally, data loss prevention has been an on-premise or endpoint solution meant to enforce policies on devices connected over specific networks. As cloud adoption accelerates, though, the utility of these traditional approaches to DLP will substantially decrease.

Established data loss prevention solution providers have attempted to address these gaps with developments like endpoint DLP and cloud access security brokers (CASBs) which provide security teams with visibility of devices and programs running outside of their walls or sanctioned environments. While both solutions minimize security blind spots, at least relative to network layer and on-prem solutions, they can result in inconsistent enforcement. Endpoint DLPs, for example, do not provide visibility at the application layer, meaning that policy enforcement is limited to managing what programs and data are installed on a device. CASBs can be somewhat more sophisticated in determining what cloud applications are permissible on a device or network, but may still face similar shortfalls surrounding behavior and data within cloud applications.

Cloud adoption was expected to grow nearly 17% between 2019 and 2020; however, as more enterprises embrace cloud-first strategies for workforce management and business continuity during the COVID-19 pandemic, we’re likely to see even more aggressive cloud adoption. With more data in the cloud, the need for policy remediation and data visibility at the application layer will only increase and organizations will begin to seek cloud-native approaches to cloud security.

What is cloud-native data loss prevention?

The explosion of cloud technologies in the past decade has brought new architectural models for applications and computing systems. The concept of a cloud-native architecture, while not new, is a development that’s taken off in the last five years. But what exactly does cloud-native mean, and how can it apply to security products like data loss prevention (DLP)?

Cloud-native describes a growing class of platforms that are built in the cloud, for the cloud. True cloud-native data loss prevention is defined by the following features:

• Agentless. Cloud-native DLP solutions aren’t deployed as software programs that require installation, rather they integrate with the applications they secure through APIs. This makes deployment easy and updates to such platforms effortless, without getting end-users or IT involved. 
• API driven. Central to cloud-native data loss prevention is the API driven nature of such solutions. Connecting with cloud platforms via API means that visibility and security policies immediately apply at the application layer. API-driven solutions can derive platform-specific context & metadata, as well as provide granular, platform-specific actions, versus broad-brush blocking on the network.
• Agnostic. True cloud-native solutions are platform, endpoint, and network agnostic in that they’re capable of integrating with cloud platforms quickly and can provide single pane of glass visibility across the cloud.
• Automated. True cloud-native solutions don’t just provide visibility into the cloud, but help automate policies whenever possible. The sheer volume of data that moves through cloud systems combined with the always-on nature of cloud applications means that incidents can happen at any time and will require immediate remediation. Automation ensures that security teams can respond to these as quickly as possible.
• Accurate. Finally, in order to help security teams process the massive amounts of data in the cloud, cloud-native DLP must be accurate. The accuracy of such platforms is often enabled by the same systems that make them automated — an effective use of machine learning that can quickly and accurately identify when business-critical data has been exposed.

What are the advantages of cloud-native DLP?

When you consider the capabilities listed above, cloud-native DLP is designed to help organizations get a handle on protecting the massive volumes of data moving in and out of data silos daily. With organizations understanding that the security of their data in the cloud is their responsibility, security teams are increasingly investing in tools designed to help them address visibility and policy blindspots. While it might be the case that cloud-native data loss prevention platforms aren’t the only security tools companies choose to invest in, it’s clear that they’ll be one of the most essential parts of their security toolkit.

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.

Instead of a multi-slide presentation on your next #cloud project, use a briefing note with six simple paragraphs:

1. The Challenge. This defines “where we are now” and is always either a problem or an opportunity. Don’t be afraid to state problems, it’s not ideal to hide everything under the MBA-speak “opportunity”, so differentiate between problems and true opportunities.
2. The Undesired Outcome. This defines “where we don’t want to be”–what will happen if the problem or opportunity is not addressed. You can also think of this as the opportunity cost if we spend the money on something else.
3. The Desired Outcome. This defines “where we do want to be,” which should obviously be better than the undesired outcome or the status quo.
4. The Proposed Solution. This defines what must be done to avoid the undesired outcome and achieve the desired one.
5. The Risk Remover. This explains in simple terms why the proposed solution is likely to succeed and unlikely to fail. (This is not a risk impact analysis.)
6. The Call to Action. This tells the reader the specific decision you want made that will put the solution into motion to achieve the desired outcome.

In cybersecurity and infosec, it’s common to assume that criminals are behind all data breaches and major security events. Bad actors are easy to blame for information leaks or account takeovers, because they’re the ones taking advantage of vulnerabilities in systems to worm their way in and cause massive damage. But how do they gain access in the first place? Most of the time, well-meaning everyday people are the real source of data insecurity.  

A study of data from 2016 and 2017 indicated that 92% of security data incidents and 84% of confirmed data breaches were unintentional or inadvertent. Accidental data loss continues to plague IT teams, especially as more organizations are rapidly moving to the cloud. While it’s important to prioritize action against outside threats, make sure to include a strategy to minimize the damage from accidental breaches as well.   

This list of five common sources of accidental data leaks will help you identify the problems that could be lurking in your systems, apps, and platforms. Use these examples to prepare tighter security controls and keep internal problems from becoming major issues across your entire organization.      

#1: Exposing secrets in code repositories like GitHub

In January 2020, a security researcher found Canadian telecom company Rogers Communications had exposed passwords, private keys, and source code in two public accounts on GitHub. As the investigation into the Rogers breach went on, the researcher found five more public folders on GitHub containing Rogers customer data, including personally identifiable information (PII) like phone numbers.  

This kind of thing happens all the time, like in the case of German automaker Daimler leaking Mercedes-Benz’s source code for smart car components through an unsecured GitLab server in May and Scotiabank exposing source code and private login keys to backend systems in GitHub in September 2019.  

Businesses looking for a secrets detection solution for GitHub should consider Nightfall Radar for GitHub. It’s a fast and easy way to prevent data loss in the platform and avoid problems like exposing sensitive data in code repos, with automated scanning and customizable alerts and reporting to help you take control of your company’s data.      

#2: Leaking data from misconfigured buckets in AWS S3

Like GitHub, AWS S3 can be a source of accidental data insecurity. All it takes is one improperly configured bucket in the cloud server to expose huge amounts of data. AWS S3 is different from GitHub in one big way here: GitHub repos allow users to set sharing permissions right away, with “public” set as the default choice. In today’s usage, AWS buckets are private by default. This means user error is behind most major AWS data leaks, when data is exposed in these public buckets.  

Outpost 24 cloud security director Sergio Lourerio, spoke to Computer Weekly in a January 2020 interview on the rising danger of data leakage through public AWS S3 buckets. He pointed to the nature of us all working in the early days of cloud infrastructure security allowing for the prevalence of opportunistic attacks on publicly accessible AWS S3 data buckets.   

“You’d be amazed to see the data you can find there just by scanning low-hanging data in cloud infrastructures,” Lourerio said. “And it only takes a couple of API calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on [Microsoft] Azure and AWS, it is very simple to get something wrong.”

Earlier this year, UK-based document printing production company Doxzoo had a major cloud security breach thanks to a server misconfiguration that exposed an AWS S3 bucket with over 270,000 records and 34 gigabytes of data. The data included print jobs for several high-profile clients such as the U.S. and UK military branches and Fortune 500 companies — leaving PII like passport scans and PCI data at risk for anyone to see or steal.  

Even worse, the exposure wasn’t reported to Doxzoo until four days after the misconfiguration was found via a routine scanning project. Massive amounts of business-critical data was up for grabs to anyone who had the URL to the public AWS S3 bucket.   

User error among developers and infosec professionals can lead to some of the most egregious security events. The cloud isn’t the only source to blame, however. Sometimes negligence can be an IT team’s worst enemy.    

#3: Compromising millions of records through expired security certificates 

The 2017 Equifax breach is one of the worst data leaks in history, with over 143 million records exposed containing PII like names, addresses, dates of birth, Social Security numbers, and driver license numbers. These records were stolen by hackers who exposed a vulnerability in Apache Struts, a common open source web server. The unpatched server allowed the attackers to gain access to Equifax’s systems for over two months.   

By exposing the one entry point from an expired security certificate, hackers created the perfect environment to keep coming back to the data rich Equifax servers — sending more than 9,000 queries on the databases and downloading data on 265 separate occasions.

This breach mirrors some similarities of leaks in GitHub and AWS S3, primarily in how Equifax’s response was very slow and inadequate to calm their customers’ fear and worry of having their data exposed. Equifax missed the data exfiltration events happening right under its nose for 19 months, and it took another two months for them to update the expired certificate. Only after the update happened did the company notice suspicious web traffic.   

Equifax’s former chief information officer David Webb admitted in a U.S. congressional investigation report, “Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”  

A strong security posture starts by securing your systems wherever you find a vulnerable point. The next step is to critical examine the entities you do business with — third and fourth party exposure can be just as devastating in a data breach.    

#4: Leaving the door open with unsecured third and fourth party vendors 

An organization that is doing everything right by controlling data exfiltration in the cloud with DLP, securing AWS S3 buckets, and maintaining current certificates on their website can still be at risk of data exposure through unsecured third and fourth party vendors.  

Damage control is hard enough when it’s just one source to deal with. But when you have to investigate and remediate a data breach that results from vendors and other business partners, there’s a lot more work to do.

Companies can accidentally leak as much as 92% of their data via URLs, cookies, or improperly configured storage. This exposure on its own is a major security problem. When you add third and fourth party vendors and services on these websites, that means the leaked information could be exposed to any of those services embedded into a compromised page.   

Third and forth party vendors provide essential services for the parent company, like expedited checkout portals with payment processors. Third party vendors often rely on fourth party services just as the parent company relies on outside help to maximize operations — on average, 40% of services on a website is powered by fourth parties.   

This is what happened in one of Target’s worst data breach events. In December 2013, a data breach leaked over 70 million Target customer records. Scammers found their way in by stealing credentials of a Target HVAC contractor. It sounds like a long and winding road to get from a third party vendor who never touches the main company’s network, but all it takes to pull off a heist like this is for one small exposure.   

With all these avenues covered — code repos, website containers, other vendors — you may think your security job is done. You must take on email security for your employees, as this is a much easier fix to a problem that can do severe damage.    

#5: Giving up on security standards with lax email policies

Email scams are the oldest trick in the cybercrime book. As some of us are still falling for phishing scams from Nigerian princes, many more well-meaning people fail at email security every day, just from inadequate email security practices.  

Poor password hygiene for email accounts (using “password” for your login credentials), not using multi-factor authentication when signing into accounts, or a lack of employee training and clear policies are contributing factors to the rapid rise in business email compromise (BEC).  

According to the FBI, losses from BEC attacks total over $26 billion. More scammers are using COVID-19 to make their way into inboxes and systems. Even with tougher regulations in place like the California Consumer Privacy Act (CCPA), which carries heavy penalties for noncompliance, BEC is still a major threat to any organization. Email users should take the extra security steps to ensure their accounts are safe.  

It’s hard to fight back against thieves, cybercriminals, and scammers — especially when your own people can do most of the damage right there inside the organization. Work with your teams to determine where security vulnerabilities exist within your networks, platforms, and systems, and train everyone on best practices for securing their own logins and access points. It could also help to back up all your hard work with a DLP solution like Nightfall that catches data you may have missed even before it can leave your network. 

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.