Last week, we learned that millions of Ecuadorian’s personal details had been exposed by a misconfigured ElasticSearch database. This is not unusual. Earlier this month, researchers discovered a French retail consultancy that had inadvertently exposed millions of its customer’s records as a result of a misconfigured ElasticSearch database. In fact, this type of exposure is no longer an aberration, but the norm. What’s going on, and what can we do about it?
The way that organizations have been producing software has evolved significantly in the last 5 years. The benefits enabled by these new approaches bring with them new risks (that’s something we’ve been tracking), and we’re seeing an increase in risks due to changes in Development Operations (DevOps) for sometime now and, unfortunately, the full picture points to a far broader challenge.
DevOps in 2019
First of all – here’s the good news. There’s now far greater collaboration between software developers and IT professionals, which are enabling new types of business.More effective practices mean increased business benefits. The focuses of DevOps programs I’ve seen in 2019 include:
- Continuous delivery and integration. Frequent releases, release automation, tested on deployment.
- Infrastructure-as-code. Infrastructures that can deploy and provision from scripts and code.
- Site reliability engineering (SRE). Creating alternatives to the change control for managing availability and resilience risks.
- Advanced monitoring and instrumentation. Measuring leading indicators to effectively forecast and mitigate systems issues.
- Cloud first. Multi-tenant, software as a service tooling.
All these invariably mean a faster time to market and applications that are more relevant and closer to customer requirements. Indeed, it makes for far happier customers; there’s increased uptime, better support, and less lead time between fixes.
But yes, you guessed it, this also means increased risk.
Lack of DevSecOps Leads to Breaches of Customer Information
I began by outlining a couple of recent examples of ElasticSearch database misconfigurations. This is pretty common – there’s been hundreds of millions of records from 12 reported misconfigurations since November 2018. Add to this another 14 misconfigured MongoDB databases since August 2018, and you begin to get an idea of the extent to which these types of exposures occur. I’ve outlined some notable instances of misconfigured databases below (this is by no means an exhaustive list, but it does give an idea of the magnitude of the problem).
The majority of these databases misconfigurations were found by security researchers, some of whom gave the companies the opportunity to rectify the issues – albeit without a clear understanding if they’d previously been compromised by those with less ethical intentions. However, we’ve also seen threat actors making use of this. Take, for example, the spate of MongoDB extortions in 2017, which swapped out organizations’ data for ransom demands.
Beyond the Database: Exposure across Code-Sharing and Technical Sites
Indications are that this is a little more than the occasional slip-up of a systems engineer and something more widespread. Organizations simply lack the visibility to know if their engineers or contractors are exposing sensitive technical and customer information. In 2018, GitHub began offering expanded token scanning services to help with this problem. However, this isn’t just about GitHub; this also extends to forums where developers seek and share technical advice, such as Stack OverFlow. What might appear to be an innocuous post seeking advice, or an inadvertent public commit or post, actually provides attackers with a goldmine of information.
10 Types of Exposure to Monitor For
With Digital Shadows Search Light (now ReliaQuest GreyMatter Digital Risk Protection)™, organizations register any their identifiers (this might be API keys, code snippets, brand names, domains, etc). Search Light (now ReliaQuest GreyMatter Digital Risk Protection) then continually searches for where these are exposed across code-sharing and technical sites, and constitute a risk. This then enables a security team to work with the engineering team to remediate this exposure and prevent attackers from making use of the information.
To give you an idea of what we often find, here’s the top ten types of exposure that we alert organizations to:
- API Keys
- Database keys
- Passwords and Hard coded credentials
- Internal infrastructure service names, server names, IP addresses
- Accidental synching, cross repository infections.
- ‘Side projects’ that re-use code owned by the customer.
- Test data that is actually real data
- Leak of associated documentation, training manuals, paid for guides and support materials.
- Exposed certificate information
- Loss of intellectual property, patented or proprietary code or software.
While we cannot eradicate human error, it is possible to detect these mistakes quickly and fix them before they damage your business and brand. If you have these challenges, and would be interested to know more about how we help – we’d love to chat about how we might work together.