Security researchers who this month issued alerts on ransomware attacks on insecure MongoDB and Elasticsearch clusters are now warning organizations running Hadoop their clusters may be the next targets of attackers.
Why? Because they’re easy to get at.
“It looks like 2017 is the year the all low-hanging fruit (open systems) will be saved just in time or perish by ransom attacks,” Victor Gevers of the GDI Foundation, a Dutch non-profit working for an open and secure Internet, said in an email.
An open source distributed file system designed to store very large files across multiple servers that comes with an analysis engine, Hadoop has been adopted by cost-conscious organizations to handle Big Data problems. Two of the biggest distributions come from Cloudera and Hortonworks. Amazon runs its own version, Elastic MapReduce (EMR), on its Elastic Cloud Compute (EC2) infrastructure.
But not all enterprise implementations are secure. In fact, a warning note released by Gevers and his colleagues reminds administrators that Hadoop’s default Web interface settings have security and safemode turned off.
“The default installation for HDFS Admin binds to the IP address 0.0.0.0 and allows any unauthenticated user to perform super user functions to a Hadoop cluster,” says the warning. “These functions can be performed via a web browser, and do not prevent an attacker from destructive actions. This may include destroying data nodes, data volumes, or snapshots with TBs of data in seconds.”
As a recent article on Datanami.com pointed out, some organizations just dump log data into Hadoop data lakes for analysis without thinking whether it could include sensitive information. That’s why some experts quoted believe improving the security of a long-term data storage, including data classification, encryption and obfuscation, will increase in 2017.
Gevers estimates there are just over 5,300 Internet-facing Hadoop implementations. It isn’t known how many aren’t secure.
The GDI Foundation offers this advice for securing Hadoop, largely pulled from Apache:
- Ensure Security is on.
- Turn Hadoop Safemode on.
- Turn of service level authentication.
- Apply network filtering for or let firewall rules block port 50070 to untrusted IPs.
- Add a free IAM control and network segmentation with an OpenVPN solution.
- Implement a reverse proxy, such as Knox, to aid in preventing unauthorized access and manage connectivity to Hadoop.