60,000 DoD Files Found in AWS S3
The website darkreading.com reported on an event this week. The defense contractor Booz Allen Hamilton had been storing 60,000 DoD documents in AWS’s S3 object storage service. There was roughly 28GB of data that contained several unencrypted passwords that belonged to government contractors. These credentials could have possibly led to access of further repositories.
The good news is that this data was caught by a security researcher and not a malicious actor. This event highlights how important it is to have your security and infrastructure teams working together. There are two general options on those this exposure could have happened.
Booz could have left the S3 bucket completely unprotected (this seems unlikely)
The S3 bucket could have been set with the “authenticated users” permission set (more likely)
The problem with this S3 permission is that “authenticated users” does not mean authenticated users from your organization, it means every authenticated user to AWS. So if I’m logged into my AWS account I can search for other people’s S3 buckets even though I’m not in their organization.
This underscores a fundamental issue with InfoSec today. Infrastructure and security teams are not communicating at the beginning of projects. If Booz had reached out to their AWS team and explained their requirements this would have been a non-issue. In exchange for that transparency security teams can’t be the road block. Security teams need to change their “you can’t do that” mentality to a “let us figure out how you can do that safely” mentality. It’s this type open communication on the side of that business units that will give visibility into current projects, and a change in attitude by most security teams that will foster good will.
If you’re seeking to build a high performing security organization you can’t simply rely on products. Every organization has access to the same security tools, what organizations can do differently is change their behaviors.
What are some things that your organization does well to protect their digital foot print?