Could this latest debacle of 10.6m lost personal records have been proactively avoided and better mitigated? Yes, say three experts.
It was recently reported that the personal details of more than 10.6 million guests at MGM Resorts Hotels, including regular tourists, celebrities, tech CEOs, reporters, government officials and employees at some of the world’s largest tech companies, were shared on a hacking forum. The information included in these leaked files were personal details such as full names, home addresses, phone numbers, emails, and dates of birth.
This is a good example of how customers need to secure their cloud with a couple of different tools, said Check Point Software Technologies’ Michael Petit, Head of Cloud Security, Asia Pacific & Japan. “Many companies, when they move to the cloud, incorrectly assume they and their information are safe because the cloud will provide that security. While this is true, it only goes so far. We call this the shared responsibility model.”
According to Petit, the cloud provider will secure the facilities, the hardware, and the network. The customer is responsible for securing their data and the access to that data. He recommends that companies must secure the data plane (cloud workload protection) so that the traffic and files coming in/out of the cloud are secure and clean of any malware. They must also secure the control plane (Cloud Security Posture Management). This protects the company from any misconfigurations, either accidental or purposeful, from occurring.
“For example, if a customer were to leave cloud storage exposed to the internet, it would not matter if the data plane is secure, because anyone in the world could access the data that is stored there because it is publicly available. By combining these two practices companies can ensure all best practices are in place and activated to prevent a breach like this from occurring.”
Adding a bug-bounty perspective is HackerOne’s technical program manager Niels Schweisshelm. He says when customers are made aware that their details may have been exposed, they must also take responsibility to update passwords that they might be using on multiple sites and stay vigilant for potential scams.
“While the cloud has many benefits, it’s important that developers have a clear change management process in place when pushing data to a live environment. The most impactful bugs affect cloud platforms, with incorrect configurations leading to information disclosure vulnerabilities that can be used to obtain sensitive information.”
As this latest leak shows, no matter how dedicated an internal team is, they may not always be looking at security in the same way an external attacker would and, therefore, the best way to augment existing resources is to engage ethical hackers. “It used to be that you had to notify cloud providers before you could run a security test, letting them know the pen-tester’s details, the date of testing, and the time frame. However, this no longer applies, and it’s easy to have cloud-hosted environments in scope for security testing.”
Finally, one expert feels that if we have learned anything from decades of data breaches, it is that any organisation can be a target. Taking a proactive approach to security is the best way to reduce the risk of unpleasantness, says Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group. “A proactive approach means thinking about security at every phase of the design and implementation of systems. One valuable activity in the design phase is threat modeling, in which you examine the system design and imagine various ways an attacker could compromise it. Based on the results of that threat model, update the design with security controls that help mitigate the risk of attack.”
Using threat modelling, for example, could reveal that a compromise of a database server would reveal all its contents. Armed with this knowledge, developers could implement a defence-in-depth approach to protect data by implementing tighter access control and encrypting the database, or better yet, encrypting individual records.
“Any system can be compromised, but the goal is to make the cost of breaking in greater than the possible rewards,” Knudsen opined.