Cloud Misconfiguration and the Curse of the Inadvertent Employee

We all know that to err is human. The problem is some mistakes are an order of magnitude larger than others. If you forget to buy apples at the store, that’s unfortunate. But if you forget to lock down your cloud server with the proper security controls and hackers gain entry… That’s a problem that could cost your business dearly.

IBM Security Services recently gave a staggering figure as it continues to monitor security incidents and offer guidance for what’s ahead. They stated there was a 424 percent jump in the number of records compromised from 2016 to 2017 due to negligence in IT. The underlying issue: misconfigured cloud servers, networked backup incidents, and other improperly configured systems—all preventable errors that happen when the appropriate skillsets, controls, and processes are not put in place.

In fact, there is a new term IBM and other industry experts have begun to use: the inadvertent employee. These are the well-meaning IT professionals who are often at fault when it comes to misconfigured servers, networks, and databases. There has been a slew of major cybersecurity incidents in the past few years due to these mistakes as cybercriminals take full advantage of oversights. It doesn’t always take an IT expert to detect these weaknesses in cloud servers and gain entry into the sensitive information they store. Simply entering a URL into a browser to see if it returns a directory listing is an easy first step.

Recent Breaches Due to Misconfiguration

Already in 2018 there have been notable security breaches affecting millions of people. Hackers often look for sensitive information that commands a price on the dark market. This can include names, addresses, phone numbers, social security numbers, and credit card information, among other high-value data points.

Consider the following:

FedEx: In February, Kromtech Security researchers found an unsecured Amazon Web Services (AWS®) server with 119,000 FedEx customer records. FedEx quickly secured the information, which included driver’s license and passport numbers in addition to addresses, phone numbers, and other details. Apparently, the incident happened because Bongo International, acquired by FedEx in 2014, hadn’t taken the proper security precautions. The incident is a reminder to companies involved in merger and acquisition activities that they need to review their IT environments and not make assumptions about security policies.

BJC HealthCare: In March, BJC HealthCare announced that scanned images of documents related to 33,000+ patients had been accessible for more than eight months due to a misconfigured cloud server. These documents included social security numbers, treatment records, contact details, driver’s licenses, and insurance cards. Although the organization has stated they don’t believe the information was misused, they have offered free identity theft protection to their patients in their mea culpa.

Panera: In April, around 37 million customers who had placed orders on or had used Panera catering services learned their account information had been left open without a password for months on a cloud server. According to Krebs on Security, the company not only stored account details in easily accessed plain text format, but it was also lethargic about taking corrective action.

Looking Ahead

Public trust in the ability of any large company to protect their personal information is eroding. Core Security and Fortra partner with thousands of organizations to secure their IT infrastructure as well as detect misconfigured systems—and alert you of any problems.  

Find and Fix Misconfigurations on Your Systems

CTA Text

See how Powertech Security Auditor can help you ensure you systems are securely configured—and stay that way.