Preventing Security Breaches Within Company Search Applications

Far too many organizations found their names in headlines during the first month of 2019. Many came after a security researcher discovered a trove of Elasticsearch database misconfigurations that left data exposed without passwords.

In one of the more recent revelations, the State Bank of India failed to secure a server, leaving millions of customer account balances exposed. The server was not password protected. The news had barely gone live before another incident came to light, in which a security researcher Oliver Hough discovered a server security lapse also exposing a massive database of customer information belonging to the IT security and cloud data management company, Rubrik.

AWS Builder Community Hub

Again, the exposed server wasn’t protected with a password, leaving the data accessible to anyone who knew where to find the server. Whether it was financial account information, online bets or internship applications, the major data exposures revealed have illustrated the importance of protecting servers.

“While sophisticated attacks may grab headlines, these types of misconfigurations can definitely be as impactful to the bottom line, if not more,” said Tim Erlin, VP, product management and strategy at Tripwire. “This wasn’t a sophisticated attack by a well-funded nation-state adversary. It was a misconfiguration, a mistake.”

The People Problem

In a world where most information technology infrastructure, particularly in financial institutions, is at risk of a cyberattack, it is confounding to see this continued barrage of data breaches caused by misconfiguration and administrative error.

While enterprises may be investing in the right security solutions, these exposures happened because security was not prioritized or the result of not having the ability to see into complex cloud environments, said Balaji Parimi, CEO, CloudKnox Security.

“Enterprises need to better understand which employees have the privileges that can lead to these types of errors, and they need to proactively manage those privileges to shrink their risk exposure.”

A Security-first Mindset

Elasticsearch is an open source model that anyone can download, and part of its popularity is a function of its affordability combined with the fact that it is easy to get up and running. Because security doesn’t come out of the box or off the shelf with open source, companies need to do a lot of work adding layers to create the security they need, which mandates some technical oversight to make sure all necessary controls are being taken into account. In the end, the cost isn’t going to be free when you start factoring in these added layers of security.

“Security hasn’t been focused on from a core competency perspective. Instead, users can get packaged security as an add-on, which often falls off the checklist of things to think about,” said Will Johnson, CTO, Attivio.

Doing security with search is difficult to do efficiently because every application needs to be secured, which is why Johnson said the first step in taking a security mindset is making sure you have an understanding of the the security model and have all of the requirements written down.

“You need to make conscious choices about what security you need to have and know what is required by regulators and the business. Understand and document those requirements, and then choose the technology that supports them,” Johnson said.

Open source can be made secure, but you need to know what you are getting into when it comes to compliance, operational and legal controls. All of those controls require that you have a testing process to validate security from an end-to-end standpoint.

Reduce Risk Exposure

Misconfigurations in search applications seem to be an ongoing trend stemming from a lack of focus on security, and there is no one-and-done solution when it comes to security. According to Anthony James, chief strategy officer at CipherCloud: “The best practice for the protection of both on-premises and cloud based data is the use of encryption. If the data was encrypted there would be no breach.”

Not using encryption is definitely a security lapse, but there are several security oversights that lead to vulnerabilities. These vulnerabilities are rarely malicious, nor are they a single misstep. In addition to not using password protection or encryption, search vulnerabilities can also be the result of a lack of visibility into what people are doing in extremely complex environments, said Balaji Parimi, CEO of CloudKnox Security.

“Until enterprises can better understand which identities have the privileges that lead to these vulnerabilities and can proactively manage those privileges to reduce risk exposure, we will continue to see these breaches impact businesses,” Parimi noted.

Regardless of the misconfiguration or authentication error, the end result is the same, leaving far too many databases exposed. To mitigate these risks that are becoming all too common, Erlin said, “Organizations need to be able to detect and remediate misconfigurations, period. This is highly sensitive data that was exposed to anyone willing to look for it. Moving data and applications to the cloud doesn’t magically absolve an organization of its security responsibilities.”

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus