Attention ergophobes: simulate understanding here.
- Microsoft discloses the inadvertent exposure of a customer service database.
- NSA has guidance on mitigating cloud vulnerabilities.
- Big advertising platforms may increasingly give up geolocation.
- Again: a ransomware attack is now a data breach unless proven otherwise.
Microsoft Elasticsearch exposure.
Back at the end of December Comparitech found five Microsoft Elasticsearch servers exposed online. They discovered them on December 28th, promptly notified Microsoft, and Microsoft secured them within two days. Redmond disclosed details of the incident yesterday. The data were held in a customer service database, and roughly two-hundred-fifty-million records were exposed. Microsoft says that it follows standard redaction procedures for the information stored in such databases, and that most of the exposed records seem to have been redacted in accordance with company policy. But the incident remains embarrassing. As Microsoft put it, "While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
The company will immediately:
- Audit the "established network security rules for internal resources."
- Expand the "scope of the mechanisms that detect security rule misconfigurations."
- Add "additional alerting to service teams when security rule misconfigurations are detected," and,
- Deploy "additional redaction automation."
Regulators are sure to notice. As CipherCloud founder and CEO Pravin Kothari put it, "We'll see more and more regulators to 'bring the hammer down' and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their client sensitive information. It could be FTC, European GDPR, California Consumer Privacy Act, and many other privacy regulators worldwide.”
Chris DeRamus, CTO and co-founder of DivvyCloud noted that there's third-party risk to be managed here as well. "Organizations must be cognizant of their cloud service providers' storage access policies and use these policies to define access," he said. "Microsoft must ensure that their security team understands that incorrectly configured policies can result in costly damages. In this instance, because the records exposed include customer email and IP addresses, affected customers should be on high alert for phishing scams.”
In any case, Microsoft's final counsel in its disclosure is worth taking to heart: "As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."
NSA offers guidance on mitigating cloud vulnerabilities.
The US National Security Agency has issued guidance on mitigating the cloud vulnerabilities that have put so much private information at risk. They divide cloud vulnerabilities into four classes:
- misconfiguration,
- poor access control,
- shared tenancy vulnerabilities, and
- supply chain vulnerabilities.
The agency offers a framework for mitigating an organization's exposure to the risk these induce.
Giving up on geolocation.
Fast Company reports that, as Apple and Google tighten up their privacy controls (sometimes collaborating as frenemies, as CNET's coverage suggests, in the case of Google's tipping Apple to a problem with Safari's Intelligent Tracking Prevention feature) advertisers find that they have to forgo the easy geolocation iPhones and Android devices once provided.
Ransomware again equals data breach.
More organizations afflicted with ransomware are paying the extortionists, Dark Reading reports, citing surveys by Proofpoint and others. To be sure, this is likely to fuel a bandit economy, but on the other hand the risk now extends beyond data availability and business operations to all of the regulatory exposure associated with the exposure of personal information.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, commented that victims increasingly seem to have no option beyond paying the ransom. "Previously, most of the ransomware campaigns were merely hindering victims' daily operations, as organizations with daily backups and other important cybersecurity processes managed to recover pretty quickly and without many losses," Kolochenko told us in an email. "Moreover, some organizations did not even report such incidents to avoid potential fines and lawsuits. Now such incidents have become an invitation to file a class action by the victims and prosecution of careless organizations by competent law enforcement agencies."
Regulatory risk is risk indeed, and as privacy becomes increasingly a matter of regulation, exposure to that risk will increase.