You only have to read the news on this very website to find countless stories of instances where companies have inadvertently left a database exposed on the web – it’s every security professional’s worst nightmare.
Researchers at Comparitech, who will often be the source of finding these misconfigured databases to alert the unsuspecting company, decided to set up a honeypot experiment to see just how little time it would take before such a database could be found.
Head cybersecurity researcher, Bob Diachenko created a simulation of a database on an Elasticsearch instance complete with fake user data and left it publicly exposed to record the results over 11 days.
In just over 8 hours after exposure, the database had attempted unauthorised access (which Diachenko refers to as an “attack). And over the days where it was left exposed, it was attacked on average 18 times a day, 175 times in total.
The research should serve as a stark reminder to companies of the importance of securing databases like Elasticsearch and shows just how opportunistic hackers are. Commenting, Warren Poschman, senior solutions architect at comforte AG, said:
“IT departments leaving unprotected databases on the internet, data in misconfigured S3 buckets, or not patching critical systems that are internet facing is an unfortunate and increasing regular occurrence as more organisations cloudify their legacy operations or move toward new cloud-native infrastructures.
“With hundreds of controls and a multitude of regulations emerging to protect privacy proper and robust implementation can be a daunting task – let alone the basic security requirements that are required for basic survival,” he continued.
David Kennefick, product architect at Edgescan said that his team finds these instances a lot more than people might think as Edgescan monitors for exposed databases as part of its continuous profiling service; however, the cloud has improved matters. He said: “There has been a substantial improvement during the great cloud migration. Using a service such as AWS or Azure, which automatically locks down your machines and services, is a great way to reduce the likelihood of leaving something exposed. These providers, in fact, have this control enabled by default, meaning that users have to go out of their way to leave anything exposed on the internet.
“The issues with exposed databases are introduced when teams are managing technologies that don’t have this control enabled by default – there is an assumption of security, and this leads organisations down the path of accidental exposure,” Kennefick explained.
Of course, if the good guys are searching, so are the bad guys. Boris Cipot, senior security engineer at Synopsys, explained that hackers have created their own search engines to hunt out exposed databases or devices.
“Finding exposed databases or devices on the internet today quite easy, as further proven by Comparitech’s honeypot research. There are specially designed search engines that look for exposed devices on the internet, and even malware like Kaiji (as one example) automatically looks for exposed operating systems with root access,” Cipot said.
“For this reason, a timestamp of less than 9 hours before the first “attack” started is nothing surprising. It however shows that there is not much time for companies to find a mistake and repair it before there is potential for a bad actor to identify and manipulate it. Every mistake in provisioning your resources can lead to big problems. We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices.”
Comforte’s Poschman noted that the findings are key indicators that going beyond the perimeter, access controls, and other traditional controls are absolutely necessary.
“Data security is that one catch-all that must not be left out. By implementing a data-centric security, organisations can eliminate risk by ensuring that data is protected regardless of where it resides or who is using it – not a nice to have but a necessity given today’s attack vectors and expanding cloud usage,” he said.
Synopsys’ Cipot recommended that companies think about provisioning resources much like a pilot’s checklist before take-off, which will to lead to two important things, “first, the creation of security policies and procedures and secondly, a checklist that does not allow room for mistakes.”
The full details, including what attack methods were used and what attackers attempted to do with the data, can be found in this blog: