Improvements to cloud services rendered irrelevant by misconfigured and outdated tech

Organizations worldwide are inadvertently exposing 2.3 billion documents due to misconfigured systems, cloud storage services, and a reliance on legacy technologies, a study has warned.

This is an increase of 50% over the last 12 months, warns threat intel firm Digital Shadows, which conducted the same exercise last year and found just 1.5 billion exposed files globally.

Around one billion of the documents were from the EU countries, 262 million more than last year, according to the study (register to download PDF), which ran from April 2018 to May 2019.

This could be an indicator that the tougher data protection regulations introduced through GDPR have failed to improve some aspects of poor practices.

The exposed files studied by the team included passport data, bank records, and medical information, the exposure of which increases the risk of identity theft, ransomware attacks, and more.

The misconfiguration of commonly used file storage technologies is the main cause for the high number of exposed documents.

Nearly 50% of the files (1.1 billion) were exposed via the Server Message Block protocol – a file sharing technology first introduced in the 1980s.

Other misconfigured technologies observed in the study include FTP services (20% of total), rsync (16%), Amazon S3 buckets (8%), and Network Attached Storage devices (3%).

Security researcher Bob Diachenko agreed with Digital Shadows’ assessment that global data protection practices are going to hell in a handcart.

“Things are getting worse, it is a plague of our times,” Diachenko told The Daily Swig. “We need to vaccinate-educate common users, not CISOs and IT guys, to stop this from spreading.”

Medical ills

As well as increased data protection issues, these exposed systems pose an increased malware infection risk.

More than 17 million leaked files have been encrypted by ransomware since April 2018, two million by the recently discovered ‘NamPoHyu’ strain.

Businesses may well be blissfully unaware of these infections in many cases, according to Digital Shadows.

For example, the researchers found an open FTP server containing everything a would-be criminal would need to carry out identity theft scams, including job applications, personal photos, passport scans, and bank statements.

The team also found 4.7 million exposed medical-related files, the majority of which were DICOM (DCM) medical imaging files, including x-rays and other health-related scans.

While overall file exposure has increased, Digital Shadows’ Photon Research Team reported a sharp decline in data exposed by Amazon S3 buckets, possibly as a result of tighter default security controls introduced by AWS in November 2018.

The launch of Amazon S3 Block Public Access has meant that exposed files on S3 storage have decreased from 16 million to just 1,895 open buckets in little over six months.

Harrison Van Riper, photon research analyst at Digital Shadows, commented: “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant.

“Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year.

“Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

The Digital Shadows study, entitled ‘Too Much Information: The Sequel’, which offers an overview of the problem as well as suggested remedies, was released on Thursday.

A blog post from Digital Shadows summarises the research and its main findings.

Why the increase in data exposure? Van Riper commented: “It is surprising to see such a large increase in such a short amount of time, indicating that the issue of inadvertent data exposure is not one to be taken lightly

“The reasoning behind the increase is difficult to say, as data privacy has been a hot issue on everyone’s mind and there’s a lot of really god work going on to try and contain the seas of information being exposed. However, the fact is that businesses are continuing to expand their footprint online, beyond their own networks and, more importantly, their own storage devices.

“The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well,” he added.