Criminals, activists and nation states are snooping around your organization looking for security vulnerabilities, and if it’s not them then you have to worry about disgruntled insiders with an axe to grind. But the truth is one of the biggest threats are well-meaning employees who don’t follow — or know — security rules.
Another example came to light this week with the discovery by security researcher and reporter Bob Diachenko of a misconfigured MongoDB server on Amazon apparently used by staff of data management company Veeam Software. Using the Shodan search engine Diachenko came across the database on Sept. 5. It was “publicly searchable and wide open” until Sept. 9th, when, after several notification attempts to Veeam by him and a reporter from TechCrunch, it was secured.
UPDATE: Veeam co-CEO Peter McKay apologized online for the incident. “Unfortunately, this week, we had an incident where one of our marketing databases was mistakenly left visible to unauthorized third parties … During some maintenance of our network, this single marketing database containing marketing records (that may include names, e-mail addresses and IP addresses) was left visible and exposed due to human error. While the database was not easily accessible, it was visible to unauthorized third parties. Once we validated the issue, we took immediate action to properly secure the database. While it has been reported that there were 440 million e-mail records, many of these were duplicates or multiples of the same e-mails, and upon review, there were approximately 4.5 million unique e-mail addresses. I can assure you there was no sensitive information as Veeam does not collect sensitive personal information from its customers, prospective customers or partners. It is extremely unfortunate that the news reported without accurate facts, while time is of the essence for a reporter, what was important for us was to thoroughly research the incident and provide accurate information to our customers, partners and prospective customers”
The 200-GB database included customer information apparently used by a marketing team. Diachenko said it had over 445 million records including customer’s first and last name, email, email recipient type (end-customer or partner), country, attributes values (which in some cases have IP address, referrer URL address, user agent etc), and general customer organization size from between 2013 and 2017.
“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers,” wrote Diachenko.
News stories about misconfigured and publicly-available MongoDB databases aren’t hard to find. In January 2017 security researchers discovered that about 27,000 MongoDB databases had been erased and held for ransom.
Securing the configuration of software and hardware is one of the basic security controls listed by the Center for Internet Security And the only way to do that is through “a rigorous configuration management and change control process.”
True, it’s easier when all assets are under the control of the IT department to have a small group of people oversee all corporate hardware and software. It’s harder in an era when any staff member can open a server or storage on a cloud service and dump in customer data. However, regular security awareness and rules on when and how to use external storage have to be created and enforced.
Editor’s note: This story was updated from the original to include comments from Veeam’s co-CEO.