20 April 2019
Scott Ikeda’s report(1) on the Verifications.io data breach makes one thing clear: The incurable disease named cyber-security carelessness that leads inevitably to data breaches caused also this incident.
First of all, the company misjudged the criticality of the data. Although the exposed information is publicly accessible the compilation in few data sets simplifies the job of cyber criminals. Phishing emails are just more credible if high quality data(1) is used.
Secondly, the information in the MongoDB was accessible for everyone with internet access. This is not an isolated case. As of today, about 64,000 MongoDB(2) are visible in the internet, thereof about 18,000 with authentication not enabled.
The system developers ignored the vendors security advice provided in section ‘Limit Network Exposure’ of the MongoDB security checklist(3):
“Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.”
This is easy to implement, at low cost.
Cyber security is about people, processes and technology. In this case, lack of cyber security awareness and missing security processes caused the incident. Nevertheless, security solution vendors advice(1) to implement new security technology for preventing such incidents:
“Security tools that automatically protect your data such as data loss prevention (DLP) and digital rights management (DRM) help secure your sensitive information. In the event that an important cloud vendor doesn’t have the right data protection, you can wrap their applications with a cloud security broker to provide the necessary cloud security and protection for your data.”
The big question is: Are such solutions effectively mitigating the risk if the system is accessible from the internet, without authentication?
I very much doubt because the number and extent of data breaches is continually growing, despite annually increasing investments into cyber security. Technology does just not cure cyber-security carelessness.
Have a great weekend.
Ikeda S. Largest Leak in History: Email Data Breach Exposes Over Two Billion Personal Records [Internet]. CPO Magazine. 2019 [cited 2019 Apr 14]. Available from: https://www.cpomagazine.com/cyber-security/largest-leak-in-history-email-data-breach-exposes-over-two-billion-personal-records/
The Shadowserver Foundation. The Shadowserver Foundation: MongoDB NoSQL Server Scanning Project [Internet]. 2019 [cited 2019 Apr 19]. Available from: https://mongodbscan.shadowserver.org/
mongoDB. Security Checklist — MongoDB Manual [Internet]. https://github.com/mongodb/docs/blob/v4.0/source/administration/security-checklist.txt. [cited 2019 Apr 19]. Available from: https://docs.mongodb.com/manual/administration/security-checklist