blog.checkpoint.com
Open in
urlscan Pro
141.193.213.20
Public Scan
Submitted URL: https://click.checkpoint.com/NzUwLURRSC01MjgAAAGAPeWsDdDPD1MvfOjWbAy2AT2uCHxRfbgxe6lgZ2uAEZuyY81hxQkrpnDvOUmt3SGeayJQJdE=
Effective URL: https://blog.checkpoint.com/2021/09/30/what-can-we-learn-from-the-top-cloud-security-breaches/?mkt_tok=NzUwLURRSC01MjgAAAGAP...
Submission: On October 21 via api from SG — Scanned from DE
Effective URL: https://blog.checkpoint.com/2021/09/30/what-can-we-learn-from-the-top-cloud-security-breaches/?mkt_tok=NzUwLURRSC01MjgAAAGAP...
Submission: On October 21 via api from SG — Scanned from DE
Form analysis 1 forms found in the DOM
<form id="search-form"><input type="image" src="https://www.checkpoint.com/wp-content/themes/checkpoint-theme-v2/images/search-btn.png" value="Submit" alt="Search"><input type="text" id="stq" name="stq" class="st-search-input"
placeholder="Enter your keywords..." x-webkit-speech="" x-webkit-grammar="builtin:search" autocomplete="off">
</form>Text Content
* Free Demo
* Contact Us
* Support Center
* Sign In
* Blog
Toggle navigation
* *
* * * Choose your language...
* English (English)
* Spanish (Español)
* French (Français)
* German (Deutsch)
* Italian (Italiano)
* Portuguese (Português)
* Russian (Русский)
* Japanese (日本語)
* Chinese (中文)
* Products
* Quantum
Secure the Network
* Quantum Maestro
* Quantum Security Gateway
* Quantum Spark
* Quantum Scalable Chassis
* Quantum Edge
* Quantum IoT Protect
* Quantum VPN
* Quantum Smart-1
* Quantum Smart-1 Cloud
CloudGuard
Secure the Cloud
* CloudGuard Network
* CloudGuard Posture Management
* CloudGuard Workload
* CloudGuard AppSec
* CloudGuard Intelligence
Harmony
Secure Users & Access
* Harmony Endpoint
* Harmony Connect
* Harmony Browse
* Harmony Email & Office
* Harmony Mobile
Infinity-Vision
Unified Management
* Infinity Portal
* Infinity SOC
* Infinity Unified Management
View All Products
* Solutions
* * Cloud Security
* Serverless Security
* Container Security
* Cloud Compliance & Governance
* Private Cloud Network Security
* AWS Security
* Azure Security
* GCP Security
* Business Size
* Data Center & High Performance
* Large Enterprise
* Small and Medium Business
* Consumer and Small Business
* Topic
* Secure Remote Workforce
* Anti-Ransomware
* Cloud Security
* Endpoint Security
* Enterprise Mobile Security
* GDPR
* IoT Security
* Network Security
* SD-WAN Security
* Zero Trust Security
* Zero-Day Protection
* Industry
* Retail
* Financial Services
* Government
* Healthcare
* Industrial Control Systems ICS & SCADA
* Service Provider
* Education
--------------------------------------------------------------------------------
* Solutions Overview
Infinity ArchitectureConsolidates Security Across the EnterpriseLearn More
* Support & Services
* * Support
* Create/View Service Request
* Contact Support
* Check Point Pro
* Support Programs
* Life Cycle Policy
* License Agreement & Warranty
* RMA Policy
* Training
* Training and Certification
* Cyber Range Courses
* HackingPoint Courses
* Learning Credits
* Secure Academy
* Knowledge Base
* eLearning
* Services
* Professional Services
* Advanced Technical Account Management
* Lifecycle Management Services
* Security Consulting
* ThreatCloud Managed Security Service
HackingPoint TrainingLearn hackers inside secrets to beat them at their own
game.View Courses
* Partners
* * Channel Partners
* Become a Partner
* Find a Partner
* Technology Partners
* Technology Partners
* Featured Technology Partners
* Partner Portal
* PartnerMAP Sign In
Check Point Partner EcosystemFrank Rauch,
Head of Worldwide Channel Sales
Watch Video
* Resources
* * Resources
* Content Resource Center
* Product Demos
* Product Trials
* Customer Stories
* Events
* Webinars
* Videos
* Cyber Hub
* Downloads and Documentation
* Downloads and Documentation
* Product Catalog
* Renewal Pricing Tool
* Cyber Security Insights
* Check Point Blog
* Check Point Research
* Cyber Talk for Executives
* CheckMates Community
Events
Check out upcoming
cyber security events
near your city
Find Out More
* Mobile Menu
* PRODUCTS
QUANTUM
* Quantum
* Quantum Maestro
* Quantum Security Gateway
* Quantum Spark
* Quantum Scalable Chassis
* Quantum Edge
* Quantum IoT Protect
* Quantum VPN
* Quantum Smart-1
* Quantum Smart-1 Cloud
CLOUDGUARD
* CloudGuard
* CloudGuard Network
* CloudGuard Posture Management
* CloudGuard Workload
* CloudGuard AppSec
* CloudGuard Intelligence
HARMONY
* Harmony
* Harmony Endpoint
* Harmony Connect
* Harmony Browse
* Harmony Email & Office
* Harmony Mobile
INFINITY-VISION
* Infinity-Vision
* Infinity Portal
* Infinity SOC
* Infinity Unified Management
Products Overview Products A-Z
SOLUTIONS
CLOUD SECURITY
* Serverless Security
* Container Security
* Cloud Compliance & Governance
* Private Cloud Network Security
* AWS Security
* Azure Security
* GCP Security
BUSINESS SIZE
* Data Center & High Performance
* Large Enterprise
* Small and Medium Business
* Consumer and Small Business
TOPIC
* Secure Remote Workforce
* Anti-Ransomware
* Cloud Security
* Endpoint Security
* Enterprise Mobile Security
* GDPR
* IoT Security
* Network Security
* SD-WAN Security
* Zero Trust Security
* Zero-Day Protection
INDUSTRIES
* Retail
* Financial Services
* Government
* Healthcare
* Industrial Control Systems ICS & SCADA
* Service Provider
* Education
SUPPORT & SERVICES
SUPPORT
* Create Support Request
* My Support Request
* Contact Support
* Check Point Pro
* Support Programs
* Life Cycle Policy
* Software License Agreement & Hardware Warranty
* RMA Policy
TRAINING
* Training and Certification
* Learning Credits
* HackingPoint Courses
* Secure Academy
* Knowledge Base
SERVICES
* Professional Services
* Advanced Technical Account Management
* Lifecycle Management Services
* Security Consulting
* ThreatCloud Managed Security Service
PARTNERS
CHANNEL PARTNERS
* Become a Partner
* Find a Partner
TECHNOLOGY PARTNERS
* Technology Partners
PARTNER PORTAL
* PartnerMAP Sign In
RESOURCES
RESOURCES
* Content Resource Center
* Product Demos
* Product Trials
* Customer Stories
* Events
* Webinars
* Videos
* Cyber Hub
DOWNLOADS AND DOCUMENTATION
* Downloads and Documentation
* Product Catalog
* Renewal Pricing Tool
CYBER SECURITY INSIGHTS
* Check Point Blog
* Check Point Research
* Cyber Talk for Executives
* CheckMates Community
* Free Demo
* Contact Us
* Support Center
* Sign In
* Blog
*
* Check Point Blog
WHAT CAN WE LEARN FROM THE TOP CLOUD SECURITY BREACHES?
By Jonathan Maresky, Cloud Product Marketing Manager, published September 30,
2021
(This blog post was first published in TheNewStack.)
According to Canalys’ recently published review of cybersecurity, there were
more data breaches over the course of 2020 than in the previous 15 years
combined: 300 reported breaches (up 119% from 2019), during which 31 billion
data records were exposed (up 171% over 2019).
There’s no question that the COVID-19 pandemic played an important role in this
dramatic escalation. The sudden jump in the number of employees working from
home created significant challenges in securing remote access to corporate
resources. Also, highly distributed offsite workforces became an ideal target
for social engineering hacking ploys.
Although spending on cybersecurity grew 10% during 2020, this increase fell far
short of accelerated investments in business continuity, workforce productivity
and collaboration platforms. Meanwhile, spending on cloud infrastructure
services was 33% higher than the previous year, spending on cloud software
services was 20% higher, and there was a 17% growth in notebook PC shipments.
In short, cybersecurity spending in 2020 did not keep up with the pace of
digital transformation, creating even greater gaps in organizations’ ability to
effectively address the security challenges introduced by public cloud
infrastructure and modern containerized applications: complex environments,
fragmented stacks and borderless infrastructure, not to mention the
unprecedented speed, agility and scale. See our white paper, Introduction to
Cloud Security Blueprint, for a detailed discussion of cloud security
challenges, with or without a pandemic.
In this blog post, we look at nine of the biggest cloud breaches of 2020, where
“big” is not necessarily the number of data records actually compromised but
rather the scope of the exposure and potential vulnerability. We describe how
these significant breaches happened and provide some key takeaways to help you
make your organization more secure.
1. MISCONFIGURED INTERNAL DATABASE
Microsoft disclosed in January 2020 an incident that occurred in an internal
support analytics database. A change on Dec. 5, 2019, to the database’s network
security group introduced misconfigured security rules. As a result, 250 million
records of support cases were compromised, including email and IP addresses as
well as support case details.
Microsoft assured customers that the breach did not expose any of its commercial
cloud services, and in most cases, the data had been automatically redacted to
remove personal information. However, any loss of customer data has serious
ramifications, such as giving threat actors a wealth of information for future
phishing expeditions. Check Point’s Incident Response Team (CPIRT) has seen a
number of successful phishing attacks with a mission-critical pretext such as
“Your IT Support Mailbox is Full” or “New voice mail: Unable to access
resources.” In the case of this breach, threat actors with access to support
ticket history could mount very targeted phishing attacks aligned with prior
legitimate communications with vendors.
The incident was a wake-up call for Microsoft, and all of us, that network
security rules for internal resources must be subjected to auditing that is as
rigorous as that used for external resources. It is also worth noting that the
exposure was detected by a third party. More than three weeks passed until the
misconfiguration was remediated. Comprehensive measures to detect security rule
misconfigurations and alert security teams in real time are critical to prevent
breaches.
2. UNPROTECTED DATABASE, UNENCRYPTED DATA
On Jan. 30 2020, a security researcher discovered a non-password-protected
database that was accessible to anyone on the internet. The database, which was
part of the corporation’s education platform, contained user emails in plain
text as well as IP addresses, ports, pathways and storage information that
malicious actors could exploit to gain deeper access into the network.
Unencrypted production, audit, error, CMS and middleware logs were also exposed,
creating more possible backdoors into the network.
Estée Lauder remediated the exposure on the same day that it was discovered and
assured its customers that no consumer data was compromised. Despite minimal
damage, there are at least three important lessons that can be learned from this
breach:
* Effective asset discovery and management are critical to security. Any
unprotected asset can be a great foothold for threat actors and, as in this
case, can provide invaluable fodder for future social engineering and
phishing attacks.
* Beware of the agility and ease with which cloud resources can be provisioned.
It should never be at the expense of upholding security best practices such
as password protection.
* Data should always be encrypted, even in non-production databases.
3. DATABASE OF SECRETS UNPROTECTED FOR 8 YEARS
Whisper is a secret-sharing smartphone app that has been around since 2012. In
its earlier years, it was a popular platform to share confessions and other
highly personal information under a pseudonym. On March 10, 2020, the story
broke in The Washington Post that security researchers had discovered 900
million Whisper posts and their metadata in an unprotected database. The exposed
data, which went back to 2012, included the user’s age, ethnicity, gender,
hometown, nickname and group memberships.
There is no evidence that the database was ever exploited, and Whisper took it
down immediately after being contacted by The Washington Post. It is truly hard
to fathom how an exposed database from a secret-sharing app could have gone
undetected by the company for so many years.
However, it is apparently not an unusual situation. Our CPIRT colleagues have
learned that servers or services that are exposed by accident are typically the
ones most misconfigured and most out of date with patches. Regular external
attack surface mapping and scanning can help identify such servers and services
and prevent accidental exposure. Perhaps this is also the place to note that in
today’s complex hybrid and multicloud environments, the need for effective
security monitoring is greater than ever before.
4. BIOMETRIC DATA ON AN UNSECURED SERVER
Security researchers informed a Brazilian biometric solutions company in March
2020 that 81.5 million records had been exposed on an unsecured server. The
records included admin (!) login information, employee phone numbers and email
addresses, company emails and binary code related to 76,000 fingerprints, which
could have been used to reverse engineer the fingerprints themselves. Facial
recognition data was also found in the exposed database.
The breach occurred primarily because the company failed to securely configure
the migration of data to a cloud-based database for storage purposes. Our CPIRT
investigators have witnessed several hasty cloud migrations that resulted in
accidental exposure of data or other vulnerabilities. When migrating from a
protected on-premises infrastructure to cloud infrastructure, extraordinary
measures should be taken to secure the application, starting with the same
controls you would apply on-premises such as password protection and data
encryption.
5. FIVE BILLION RECORDS EXPOSED DURING ROUTINE MAINTENANCE
This mega-breach occurred in March 2020 when a service provider temporarily
exposed 5 billion records during routine maintenance. The contractor had shut
down a firewall for about 10 minutes to speed up the migration of an
Elasticsearch database, opening up a window for the internet-indexing service
BinaryEdge to index all the data. During those 10 minutes, a security researcher
was able to access the database via an unprotected port, although he only
succeeded in extracting a very small subset of the records.
The database contained emails and passwords from publicly known data breaches,
data that had been used to notify Keepnet’s customers if they had been
compromised. No company or customer data was exposed, and the records themselves
were all from publicly available threat intelligence resources.
Given the sophistication and agility of threat actors, the Keepnet breach
underscores the importance of constant vigilance, even during routine
maintenance and operations. In the company’s public statement about the
incident, one of the lessons learned was: “We have added [a] threat intelligence
service to our 24/7 monitoring systems and conduct continuous vulnerability
scanning.”
In CPIRT’s experience attackers often gain access to and then spread laterally
through a network because security controls were disabled in favor of
performance. In fact, threat actors look for systems that have exceptional
performance with little or no security controls. A proper security architecture
should consider performance requirements in the early planning and design
stages. This upfront investment saves security management time and resources
over the long term.
6. MISCONFIGURED CLOUD SERVER LEAKS GUEST INFORMATION
In July 2020, MGM Grand Hotels acknowledged the breach of 142 million records
that contained personal information about guests and were being offered for sale
on the dark web. The hacked data included home addresses, contact information,
dates of birth, driver’s license numbers and passport numbers. Luckily, it did
not include financial information, IDs or reservation details.
It is possible that this was part of the same July 2019 breach that became high
profile in February 2020 when 10.6 million records were offered as a free
download on a hacking forum. Unfortunately, the data that was exposed here is
yet another case of giving threat actors everything they need for future
spear-phishing attacks.
The breach was apparently the result of a misconfigured cloud server that was
then accessed without authorization. Considering that most misconfigurations are
the result of human error, the incident highlights the invaluable importance of
automated security workflows to strengthening an organization’s security
posture.
7. UNDETECTED EXFILTRATION OF PERSONAL & FINANCIAL DATA
In September 2020, Warner Media Group (WMG) announced that it was the victim of
a three-month Magecart data-harvesting attack on multiple e-commerce websites
hosted and supported by an external service provider. From April 25 to Aug. 5,
2020, a hacker exfiltrated personal (name, email address, telephone number,
billing and shipping addresses) and credit card information (card number, CVC,
expiration date) entered into the websites while making purchases.
In a class action that was brought against WMG in the wake of the incident,
the plaintiffs wrote “The fact that this breach allegedly went on undetected for
more than three months demonstrates the alleged lack of care taken by Warner
Media Group to secure its customers’ information.” The lesson that WMG learned
the hard way is that next-generation threat-hunting and intelligence
capabilities might have detected the issue more quickly or even pre-empted it.
And advanced data-driven threat forensics is key to accelerating time to
remediation.
8. CRYPTO MINING CAMPAIGN TARGETS KUBERNETES
In June 2020, attackers mounted a successful crypto mining campaign on
compute-intense Kubernetes machine learning nodes on Microsoft Azure. The target
was Kubeflow, an open source project for managing ML tasks in Kubernetes. The
attackers exploited Kubeflow dashboards that were configured more for
convenience than security. These misconfigurations exposed the service to the
internet and allowed unauthorized users to perform Kubeflow operations,
including deploying new containers.
The Azure Security Center confirmed that the attack affected tens of Kubernetes
clusters, but did not specify the scope of the resource hijacking or whether the
attackers were able to exploit the dashboards for other malicious activities.
Given the cloud’s auto-scaling capabilities, it is no wonder that cloud service
providers are a common target of crypto mining campaigns. The victims often only
become aware of the exploit at the end of the month when they receive an
extraordinarily high cloud usage bill.
In any case, it is never advisable to rely solely on the security controls of
your cloud service provider. Every organization must understand its
responsibilities within the shared responsibility model of cloud security and
uphold all best practices related to cloud network security and cloud
configuration compliance.
9. ACCOUNT REGISTRATION INFORMATION EXPOSED TO BUSINESS PARTNERS
In December 2020, Spotify announced that an undisclosed number of account
registration records were accidentally exposed to Spotify business partners. The
sensitive user information to which they may have been able to gain access
included email address, preferred display name, password, gender and date of
birth. The breach resulted from a system vulnerability that was introduced back
in April but not discovered until November.
Automated scans and regular penetration testing could have helped identify these
types of system weaknesses and perhaps prevent the breach. Keeping cloud assets
secure is not just Spotify’s challenge. Of the 300 American CISOs who
participated in the IDC Cloud Security survey in June 2020, the top concerns for
cloud production environments were security misconfigurations (67%), lack of
visibility into access settings and activities (64%), and identity and access
management (IAM) errors (61%). Their top cloud security priorities are
compliance monitoring (78%), authorization and permission management (75%), and
security configuration management (73%). Given these challenges and priorities,
enterprises are looking to third-party security vendors to complement their
cloud provider security tools and services, as well as provide automated and
unified cloud security solutions.
CONCLUSION
Keeping networks and data assets safe is a never-ending battle between security
teams and threat actors. As we have seen in this review of selected 2020 cloud
breaches, poor asset management, security misconfigurations and unencrypted data
are all leading contributors to breaches that can compromise sensitive data and
other resources.
The fact that not all of the exposures described above resulted in damaging
exploits should not be a comfort. The exposure itself is often regarded as a
poor reflection on the organization’s cloud network security and cloud security
management practices. If an organization is the target of continuous attacks, an
exploited vulnerability is eventually going to have significant consequences
like data leakage, application performance degradation or disruption, or
resource hijacking.
WHAT CAN YOU DO?
Reading the Check Point cloud security blog is one easy way to ensure you
up-to-date with industry trends, new technology, best practices and
recommendations from a trusted cloud security advisor.
Get familiar with CloudGuard, Check Point’s multi-layered cloud-native security
platform, which provides you with unified security to automate security
everywhere.
A key foundational layer is cloud network security, where organizations should
deploy virtual security gateways to provide advanced threat prevention, traffic
inspection and micro-segmentation.
If you are migrating to the cloud and evaluating cloud network security
solutions, download the Buyer’s Guide to Cloud Network Security to understand:
* The top 10 considerations when evaluating and choosing a cloud network
security solution
* An overview of Check Point CloudGuard and how it answers the top 10
considerations
* The relative benefits of the solutions provided by leading cloud providers
and third-party security vendors
To read the Forrester Total Economic Impact of CloudGuard Network Security,
where Forrester interviewed a $10B+ US-based healthcare company who uses
CloudGuard to secure their hybrid-cloud deployment and generated a 169% ROI,
click here.
And if you are in the process of planning your migration to the cloud, please
contact us to schedule a demo, and a cloud security expert will help to
understand your needs.
RELATED ARTICLES
KEY TAKEAWAYS FROM THE 2021 GARTNER® MARKET GUIDE FOR MOBILE THREAT DEFENSE
CHECK POINT SOFTWARE AND SPLUNK SHOWCASE AUTOMATED THREAT RESPONSE AT .CONF21
SPLUNK
SOCIAL NOW AMONG TOP THREE SECTORS TO BE IMITATED IN PHISHING ATTEMPTS IN Q3
2021
CHECK POINT SOFTWARE AGAIN EARNS LEADERSHIP SPOT IN G2 NGFW REVIEWS
TOP 10 CONSIDERATIONS WHEN EVALUATING A CLOUD NETWORK SECURITY SOLUTION
CHECK POINT SOFTWARE PREVENTS THEFT OF CRYPTO WALLETS ON OPENSEA, THE WORLD’S
LARGEST NFT MARKETPLACE
SEPTEMBER 2021’S MOST WANTED MALWARE: TRICKBOT ONCE AGAIN TOPS THE LIST
AS BATTLE AGAINST CYBERCRIME CONTINUES DURING CYBERSECURITY AWARENESS MONTH,
CHECK POINT RESEARCH REPORTS 40% INCREASE IN CYBERATTACKS
SECURING AWS LAMBDA FUNCTIONS POWERED BY GRAVITRON2 WITH CHECK POINT CLOUDGUARD
WORKLOAD PROTECTION
DRIVING AUTOMATED THREAT PREVENTION & SECURITY POLICY ORCHESTRATION
--------------------------------------------------------------------------------
Follow Us
WELCOME TO THE FUTURE OF CYBER SECURITY ©1994-2021 Check Point Software
Technologies Ltd. All rights reserved.
Copyright | Privacy Policy
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to LinkedInLinkedInShare
to RedditRedditShare to EmailEmail
Hide
Show
Close
AddThis
AddThis Sharing
FacebookTwitterLinkedInRedditEmail
We'd like to show you notifications for the latest news and updates.
AllowCancel