The Cypriot security researcher Ata Hakçıl (which sounds Turkish for “way to go, hacker!”) found an abandoned S3 bucket with 32 GB of consumer data. The bucket had been operate by Reindeer Marketing and contained full PII for customers of Tiffany & Co. and Patrón Tequila.
Why is this important?
If you don’t manage services in the cloud and you’re more of an Etsy and Coors customer, you can relax. But if you are managing services in the cloud, you know how hard it can be to lock down systems that you are not expert in managing.
In the HIT Index section, human error – especially error in system configuration – is growing as a cause for security incidents and data breaches.
What does this mean to me?
Cloud services market their ability to help you build online services quickly and inexpensively. But your team must have command of the security risks that come with that efficiency. Whether you employ cloud environments as data centers that provide Power, Pipe, and Place, or you employ PaaS models. If you build before you understand the risks, cloud security can quickly overwhelm you.
Use of vulnerability spider/index/search tools such as Shodan.io
Un-hardened cloud services, such as S3 buckets. Cloud services whose configurations change without you controlling, such as load balancers, vulnerability management systems, patch management systems, permission structure, and authentication systems.
Configuration white papers (AWS)
SCAP-based system images (AWS)
Security Center (Azure)
Commonality of attack