Technology
Products
Industries
News
Events
Resources
Company
English
Technology
Products
Industries
News
Blog
Events
Resources
Company

Trusting the cloud: Unencrypted data upload by government body

Max Heinemeyer, Director of Threat Hunting | Monday July 16, 2018

Managing misconceptions

As the market increasingly moves to the next wave of computing models, over 90% of organizations are expected to adopt hybrid infrastructures by 2020. This move to the cloud brings undeniable benefits for most organizations - from start-ups looking for minimal up-front costs to large organizations striving to boost efficiency, scale on demand, and benefit from constant availability of services and increased agility.

Alongside this growth, the challenge of securing critical data in the cloud has taken on a new dimension. As internal servers are so commonly affected by malware infections or insider threats, there exists a common misconception that the data stored within the cloud is somehow more secure than the data resting on company fileservers. However, this is not necessarily the case – the information stored on cloud infrastructure may be just as (un)safe as any other corporate data store.

Much of this risk comes from the misconception of the network position of cloud servers themselves. Although rented out for use by the company and used every day as part of fundamental business purposes, connections to cloud servers (if not facilitated by a VPN or other strong encrypted channels) cross the perimeter of the network and traverse the public internet. This means that data uploaded to and from the cloud is a prime target for man-in-the-middle attacks, carried out by opportunistic actors hoping to sniff usernames, passwords, and other sensitive details that they could then leverage for direct corporate data theft.

The reality is that while organizations can outsource their IT services, they cannot outsource their security function altogether. In fact, protecting the cloud comes with its own challenges, with most of the existing native security controls and third-party security solutions suffering from significant limitations.

Customer use case

A city government in the United States had outsourced the storage of SQL databases to a cloud storage provider. However, it had not interrogated the protocols that the server by default employed to upload and download information. Addresses, phone numbers, vehicle registration plate numbers: the city government was uploading it all to the external database via unencrypted connections. This highly sensitive data was intended for limited access by select employees within the city government, but the security oversight had made the data available to any attacker clued-up enough to park themselves on the perimeter of the network and collect the data-rich MySQL packets that came their way.

Sample of the plain text containing sensitive data.

Darktrace Cloud detected an unusual SQL connection to a rare external IP from a desktop device within the company. This communication was verified as being SQL-related via packet capture, which then revealed the sensitive public data.

The customer was unaware of this vulnerability, which remained under the radar of its entire security stack. An attacker could easily exploit it to gather material for spear phishing attacks or potentially even identity fraud.

Conclusion

In order to reduce risk and identify atypical or suspicious behavior, full visibility of all cloud services is critical, as hosting data on external servers can create dangerous blind spots and introduce subtle threats that circumvent traditional signature-based tools.

Already over 500 Darktrace customers use Darktrace Cloud to defend cloud environments and SaaS applications, including AWS, Microsoft Azure, Salesforce, and Google Cloud Platform. Darktrace provides businesses with fundamental visibility and real-time threat detection across their entire distributed infrastructures. Through the power of unsupervised machine learning, businesses are now able to confidently tackle the potential risks of data leakage and man-in-the-middle attacks that can affect cloud users.

Max Heinemeyer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max oversees global threat hunting efforts, working with strategic customers to investigate and respond to cyber-threats. He works closely with the R&D team at Darktrace’s Cambridge UK headquarters, leading research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. When living in Germany, he was an active member of the Chaos Computer Club. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.