The 2019 Cloud Security Report highlights what is and what is not working for security operations teams in securing their cloud data, systems, and services in this shared responsibility model. The results are a continuation of past challenges:
- The top cloud security concern of cybersecurity professionals is data loss and leakage (64%).
- Unauthorized access through misuse of employee credentials and improper access controls (42%) takes the number one spot in this year’s survey as the single biggest perceived vulnerability to cloud security, tied with insecure interfaces and APIs (42%). This is followed by a misconfiguration of the cloud platform (40%).
- The top two operational security headaches SOC teams are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%).
Overall, the findings in this report emphasize that security teams must reassess their security posture and strategies and address the shortcomings of legacy security tools to protect their evolving IT environments.
CLOUD SECURITY INCIDENTS:
One in four organizations (28%) confirmed they experienced a cloud security incident in the past 12 months. This rise in observed cloud security incidents (compared to last year’s survey) further serves to support the increased security concerns related to the adoption of cloud computing. Data exposure (27%) tops the list of incidents, followed by malware infections (20%) and compromised accounts (19%).
CLOUD SECURITY CONCERNS:
Although cloud providers offer increasingly robust security measures, customers are ultimately responsible for securing their workloads in the cloud. The top cloud security challenges highlighted in our survey are about data loss (64%) and data privacy (62%). This is followed by compliance concerns (39%) tied with concerns about accidental exposure of credentials (39%).
BIGGEST CLOUD SECURITY THREATS:
Unauthorized access (42%) and insecure interfaces (42%) take the number one spot in this year’s survey as the single biggest vulnerability to cloud security. This is followed by the misconfiguration of the cloud platform (40%) and hijacking of accounts (39%).
BARRIERS TO CLOUD ADOPTION:
Despite all its benefits, cloud computing is still not without challenges. Data security (29%) and general security risks (28%) combined with lack of budget (26%), compliance challenges (26%) and lack of qualified staff (26%) top the list of barriers to faster cloud adoption.
*Source: Cybersecurity Insiders
- The number of data breaches resulting in exposed records is up by 54% year over year in the first half of 2019, and the number of records exposed in those breaches is up by 52%.
- More than 3,800 data breaches were reported in the first six months of this year, and just eight of those exposed more than 3.2 billion records, nearly 80% of all records exposed so far in 2019.
- The largest involved the first-quarter release of nearly a billion names, email addresses and other personally identifiable information from Verifications.io, a firm that verifies or approves email addresses for third-party customers. The leaked records were the result of leaving a database unsecured and accessible to just about anyone who wanted a peek. The good news is that no passwords or Social Security numbers were included in the breached data.
- The second-largest breach so far in 2019 was the second-quarter exposure of personal data in 885 million records related to real estate transactions at First American Financial.
- The third-largest involved 540 million Facebook users’ data exposed due to a misconfigured database managed by Mexico-based Cultura Colectiva.
*Source: 247wallst, August 15, 2019
- The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defense contractors and banks.
- Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralized control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.
- In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
- The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
- The researchers said the sheer scale of the breach was alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.
- Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.
*Source: theguardian, August 14, 2019
- Facebook is facing questions from Ireland’s data protection watchdog — the agency that oversees the company’s privacy standards across the European Union — about why it allowed outside contractors to listen and transcribe people’s audio chats through Facebook’s platforms.
- Facebook said that such activities are permitted because people had opted into having their conversations recorded. It is unclear if this consent was sufficient cover to allow the company to transcribe the audio material under Europe’s data protection rules, known as the General Data Protection Regulation, or GDPR.
- Under Europe’s data protection rules, companies can face up fines of up to 4 percent of their annual revenue if they are found to have broken privacy standards. The company was also recently fined €5 billionby U.S. authorities over privacy violations.
*Source: politico.eu, August 14, 2019
- The data breach resulted in the information of 825,000 Delta Airlines customers being exposed.
- Subsequently, the airline is filing a lawsuit against the Philippines-based vendor, claiming that its poor security and its weak password led to the breach.
- According to the lawsuit filed in the U.S District Court for the Southern District of New York, the vendor took nearly 6 months to disclose the breach, and when it was disclosed it had been done via LinkedIn instead of contacting Delta directly as required by their contract.
- From the breach, the hacker could have scraped the names, addresses, and credit card details of up to 825,000 US customers, which causes many issues. However it is unknown if the customer data has been misused.
- In the lawsuit, Delta Air Lines state that it wants to regain the “millions of dollars” it had spent investigating the breach, notifying its customers and paying for free credit monitoring products for impacted passengers.
*Source: gdpr.report, August 20, 2019
- The Swedish Data Inspection Authority said it has imposed its first penalty for breach of GDPR, to a school in Skelleftea that had been trialing facial recognition to register pupil attendance. The authority scrutinized the three-week pilot 22 pupils and found that the school board’s handling of personal information did not comply with GDPR. The fine amounts to SEK 200,000.
- The maximum penalty that the authority could impose is SEK 10 million. The Data Inspection Authority lawyer Ranja Bunni said the school had claimed the pupils had consented to participate in the trial but this was not acceptable as the pupils were in a dependent position to the board.
- The authority said the pilot involved camera surveillance of pupils in their everyday environment and that this was an intrusion of their privacy. It said ascertaining attendance can be done in other ways, which are less invasive the facial recognition.
*Source: telecompaper, August 21, 2019
- Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.
- Cybersecurity expert Mossab Hussain of Dubai-based SpiderSilk discovered the exposed server. He informed TechCrunch of his discovery almost immediately. The server contained about 161 million records, most of which consisted of automatic logs for maintenance. However, it also contained 58,000 MoviePass customer cards.
- In the exposed database, actual credit card details including credit card numbers, expiration dates, and billing addresses also became exposed. Above all, hackers could easily use the information exposed to enact fraudulent purchases. Some of the cards received protection through masking (only exposing the last four digits). Others did not receive such protection.
- Additionally, Mr. Hussain and TechCrunch discovered the server would store email addresses and failed login attempts in real-time. This information remained exposed and unencrypted.
- When identity security experts discuss customer identity and access management (CIAM), they usually do so in comparison to traditional IAM. For example, CIAM needs to balance security and convenience far more than traditional IAM; customers demand a smooth user experience and faster authentication procedures than employees. Granted, experts report customers tend to abandon their digital carts with unpleasant customer identity experiences.
- However, CIAM must incorporate identity security as well as convenience. Enterprises have a responsibility to securely store your customers’ personally identifiable information (PII) as a consumer-facing business. In fact, because CIAMmust provide the option for less secure logins and maintained sessions, it should emphasize stronger password hashing and storage capabilities. Additionally, it should secure the customer environment whether on-premises or cloud-based.
- Kevin Gosschalk the CEO ofArkose Labs stated that “Companies must realize that digital commerce is built on data and convenience. Far too often data breaches occur due to companies leaving their databases unprotected, as witnessed last week with the first biometric database breach. Unfortunately, MoviePass suffered a breach because of the same severe lapse of security”.
*Source: techcrunch, August 21, 2019