Recently, headlines were hyping the largest ever exposure of voter information, involving some 9.5 billion data points related to 198 million U.S. voters.
Attention-getting stuff. And since the story involved the Republican National Committee (RNC), the hype was intensified. Somewhat imprecisely, many articles characterized the incident as a data “leak”, “breach”, or “compromise” — again, adding to the intensity, but not the accuracy of what actually happened.
I’m not trying to minimize the seriousness of the issue — the potential damage was enormous as were the implications regarding security and privacy. But now that some of the dust has settled, it’s time to back away from the headlines and explore what actually happened.
So let’s see what we can learn from the RNC data exposure — and more importantly — what we can and must do to better protect our data and systems going forward.
Note: Some excellent post-incident analyses and commentaries have been published, including:
- Deep Root: what can we learn from the GOP’s data leak?
- Configuration Error Leads to Another Amazon Web Services Data Breach
- Cloud Security Lessons from the RNC Leak
Who, What, & When
This story has three main players: the RNC, UpGuard Inc., a security firm, and Deep Root Analytics (DRA), a media analytics company that the RNC had hired to gather information about U.S. voters during the 2016 presidential campaign.
On June 12, Chris Vickery, a security analyst with UpGuard, discovered an open cloud repository that was left exposed by DRA and remedied the problem on June 14. To quote the UpGuard report:
“The data repository, an Amazon Web Services S3 bucket, lacked any protection against access. As such, anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw”.”
A key point is that the report does not contain any reference to data having been downloaded for mal intent.
The Fundamental Problem
What’s unsettling about this story is the fact that the mis-configuration that caused the data exposure is extremely common and could have been addressed with a few basic AWS security steps.
In a recent survey that Threat Stack conducted, we found a surprising number of well-documented security misconfigurations:
- Among the most egregious were AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions.
- Additionally, the well-recognized best practice of requiring multi-factor authentication (MFA) for AWS users was not being followed by 62% of companies analyzed, making brute force attacks that much simpler.
- Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.
As Sam Bisbee, Threat Stack’s CTO, has stated: “The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users.”
“Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely.”
The Learning and Actions To Take
As Sam pointed out, AWS takes security very seriously, but as the shared responsibility model makes clear, it’s essential that we do our part as well. If we don’t uphold our side of the equation, security goes out the door (and leaves the door wide open behind it).
So what can we learn — and do — based on the RNC data exposure?
Let’s not focus on the size of the exposure or the fact that it happened to the RNC. Rather, let’s accept that there is no them and us, and that what happened to the RNC can happen to any organization — as evidenced by the fact that the Clinton campaign was also breached last year. Cybercriminals are supremely equitable: They’ll go after anyone with a vulnerability. And don’t forget, the bad guys like to work smart, not hard, so they’re always on the lookout for vulnerabilities that are easy to exploit.
Should we not store our information in the cloud? Not going to happen. Given how far we have progressed and the many benefits we’ve attained (speed, scalability, cost reductions, etc.), no one’s going to turn back the clock. Should we attempt to batten down the hatches to the point where all risk is eliminated? Impossible. Any serious attempt to do this would be unrealistically expensive and time consuming, and would, ultimately, choke the life out of any organization that attempted it.
So what’s the answer?
Risk Acceptance and Risk Management
The most realistic and profitable way to run a business in today’s cyber climate is to embrace a culture of Risk Acceptance, determine how much risk you are willing to accept, and manage the process using an approach such as Threat Stack’s end-to-end 4 R Risk Management Methodology to ensure that your organization is protected 7/24/365.
The four phrases are as follows and ensure that you are continually applying good security hygiene:
- Risk Identification
- Risk Assessment
- Risk Mediation
- Ongoing Risk Monitoring
(For a full discussion of the 4 Rs Methodology, take a look at our blog entitled Risk Assessment and Business Payout.)
Final Words . . .
Of course the RNC data exposure wasn’t a one off. We have heard of countless vulnerabilities and exploits in the past, and inevitably, there will be many more in the future. So it’s important to remind ourselves that security doesn’t just happen.
We live in the age of the cloud, in an age of big data, and as in every other area of life, there are good actors and bad. We must, therefore, consciously find ways of taking responsibility for the security of our data and systems. We can start by ignoring the distracting headlines, and instead, look into our own environments, ensuring that they are configured securely according to industry best practices, and are also being continuously monitored for possible threats. It all becomes more manageable and seamless when it’s done in the context of an approach like the 4 Rs Risk Management Methodology.