Preventing Security Breaches Within Company Search Applications

Far too many organizations found their names in headlines during the first month of 2019. Many came after a security researcher discovered a trove of Elasticsearch database misconfigurations that left data exposed without passwords.

In one of the more recent revelations, the State Bank of India failed to secure a server, leaving millions of customer account balances exposed. The server was not password protected. The news had barely gone live before another incident came to light, in which a security researcher Oliver Hough discovered a server security lapse also exposing a massive database of customer information belonging to the IT security and cloud data management company, Rubrik.

Again, the exposed server wasn’t protected with a password, leaving the data accessible to anyone who knew where to find the server. Whether it was financial account information, online bets or internship applications, the major data exposures revealed have illustrated the importance of protecting servers.

“While sophisticated attacks may grab headlines, these types of misconfigurations can definitely be as impactful to the bottom line, if not more,” said Tim Erlin, VP, product management and strategy at Tripwire. “This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake.”

The People Problem

In a world where most information technology infrastructure, particularly in financial institutions, is at risk of a cyberattack, it is confounding to see this continued barrage of data breaches caused by misconfiguration and administrative error.

While enterprises may be investing in the right security solutions, these exposures happened because security was not prioritized or the result of not having the ability to see into complex cloud environments, said Balaji Parimi, CEO, CloudKnox Security.

“Enterprises need to better understand which employees have the privileges that can lead to these types of errors, and they need to proactively manage those privileges to shrink their risk exposure.”

A Security-first Mindset

Elasticsearch is an open source model that anyone can download, and part of its popularity is a function of its affordability combined with the fact that it is easy to get up and running. Because security doesn’t come out of the box or off the shelf with open source, companies need to do a lot of work adding layers to create the security they need, which mandates some technical oversight to make sure all necessary controls are being taken into account. In the end, the cost isn’t going to be free when you start factoring in these added layers of security.

“Security hasn’t been focused on from a core competency perspective. Instead, users can get packaged security as an add-on, which often falls off the checklist of things to think about,” said Will Johnson, CTO, Attivio.

Doing security with search is difficult to do efficiently because every application needs to be secured, which is why Johnson said the first step in taking a security mindset is making sure you have an understanding of the the security model and have all of the requirements written down.

“You need to make conscious choices about what security you need to have and know what is required by regulators and the business. Understand and document those requirements, and then choose the technology that supports them,” Johnson said.

Open source can be made secure, but you need to know what you are getting into when it comes to compliance, operational and legal controls. All of those controls require that you have a testing process to validate security from an end-to-end standpoint.

Reduce Risk Exposure

Misconfigurations in search applications seem to be an ongoing trend stemming from a lack of focus on security, and there is no one-and-done solution when it comes to security. According to Anthony James, chief strategy officer at CipherCloud: “The best practice for the protection of both on-premises and cloud based data is the use of encryption. If the data was encrypted there would be no breach.”

Not using encryption is definitely a security lapse, but there are several security oversights that lead to vulnerabilities. These vulnerabilities are rarely malicious, nor are they a single misstep. In addition to not using password protection or encryption, search vulnerabilities can also be the result of a lack of visibility into what people are doing in extremely complex environments, said Balaji Parimi, CEO of CloudKnox Security.

“Until enterprises can better understand which identities have the privileges that lead to these vulnerabilities and can proactively manage those privileges to reduce risk exposure, we will continue to see these breaches impact businesses,” Parimi noted.

Regardless of the misconfiguration or authentication error, the end result is the same, leaving far too many databases exposed. To mitigate these risks that are becoming all too common, Erlin said, “Organizations need to be able to detect and remediate misconfigurations, period. This is highly sensitive data that was exposed to anyone willing to look for it. Moving data and applications to the cloud doesn’t magically absolve an organization of its security responsibilities.”

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard
Kacy Zurkus

Kacy Zurkus

Kacy Zurkus is a cybersecurity and InfoSec freelance writer who has contributed to several publications including Medium, CSO Online, The Parallax, InfoSec Magazine and K12 Tech Decisions. She covers a variety of security and risk topics. She has also self-published a memoir, "Finding My Way Home: A Memoir about Life, Love, and Family" under the pseudonym "C.K. O'Neil." Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 45 posts and counting.See all posts by kacy-zurkus