Organizations rely on various storage tools and technologies to provide online access to certain data. SMB, FTP, rsync, Amazon S3, and NAS drives are all used to make necessary files available to the people who need them. But the improper use of these technologies is exposing sensitive information and leaving those files vulnerable to attackers, according to a report released Thursday by Digital Shadows.
In the report entitled “Too Much Information: The Sequel,” Digital Shadows’ Photon Research Team discovered that 2.3 billion online files were exposed over the past year, largely due to the misconfiguration or misuse of different storage technologies and protocols. That number represents a 50% jump over the 750 million exposed files the firm detected for its 2018 study a year ago. Almost 50% of the files (1.071 billion) were exposed through the Server Message Block (SMB) protocol. Some 20% were exposed through FTP, 16% through rsync, 8% through Amazon S3 buckets, and 3% through network-attached storage (NAS) drives.
The misconfiguration issues have already resulted in real-word ramifications. More than 17 million of the exposed files have been encrypted by ransomware, 2 million of which were impacted by the NamPoHyu variant, according to Digital Shadows. A small IT consulting company in the UK was discovered exposing 212,000 files with password lists in plain text, with many of those files belonging to clients.
Further research by Digital Shadows found an open FTP server that contained job applications, personal photos, passport scans, and bank statements, all of which could be harnessed to conduct identity theft. The Photon Research Team also uncovered 4.7 million exposed medical-related files, such as DICOM (DCM) medical imaging files, X-Rays, and other health-related imaging scans.
Such exposure not only puts customers and other users at risk, but places organizations in breach of GDPR regulation, which can lead to significant fines.
To protect against the exposure of sensitive data through various storage technologies, Digital Shadows offers five recommendations:
1. Use Amazon S3 Block Public Access
Introduced in November 2018, Amazon S3 Block Public Access limits the public exposure of files in an Amazon S3 bucket configured to be private. And it seems to be working, according to Digital Shadows’ findings. From detecting 16 million files exposed from S3 buckets in October 2018, the company now sees fewer than 2,000 such files exposed. Customers of Amazon S3 are also advised to enable logging through AWS to monitor for unwanted access or possible exposure points.
2. Disable SMBv1
Deprecated by Microsoft since 2014, SMBv1 is full of vulnerabilities. If SMB is needed for sharing files, organizations are advised to update to SMBv2 or v3. Further, IP whitelisting should be used to enable only systems that are authorized to access SMB-configured file shares, while companies should confirm that such systems are the only ones accessing these shares. The same advice holds true for securing Samba servers.
3. Disable port 837 for rsync
If rsync is only used internally, organizations should disable port 837 to prevent any external connections. Further, all communications to and from rsync storage should be encrypted to limit potential exposure points.
4. Use Secure FTP (SFTP)
Now more than 30 years old, FTP is a decidedly unsecure way to transfer files. SFTP adds the Secure Shell (SSH) protocol to encrypt both the authentication information and the files themselves. Further, FTP servers are sometimes placed behind a separate section of the network to allow for public access. But if public Internet access isn’t necessary for the stored files, then organizations should place these servers behind internal firewalls.
5. Put NAS drives behind the firewall
Network attached storage (NAS) drives should be set up internally behind a firewall. Organizations should also implement access control lists to prevent unwanted access. Digital Shadows also recommends using a strong username and password to protect access to NAS drives.
“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant, Harrison Van Riper, a Photon Research analyst, said in a press release. “Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”