CloudSOC CASB Gateway

The Competition’s Hidden Ace: Exposed Invoices via Cloud Apps 

08-16-2017 04:44 PM

The exposure of sensitive or compliance related documents in the cloud has become one of the primary data security threats that organizations face today. Leakage of these documents, intentional or otherwise, can be potentially disastrous for an organization and result in compliance fines, mitigation costs, and loss of customer trust. The problem is not specific to a single cloud app provider but can occur when using any file sharing app. Whether an exposure happens to just a handful of documents or millions, the damage can be severe. For instance, the loss of a single document containing a confidential business strategy can provide a significant edge to the competition, resulting in lost business opportunities and potential revenue.

Recently, the Symantec Cloud Threat Labs team discovered a number of invoice documents that were exposed via AWS S3 buckets. Due to responsible disclosure and ethical guidelines, we are not divulging the names of the involved businesses. These documents were publicly available and could be easily accessed and downloaded using a web browser. In an earlier blog, we discussed how globally accessible AWS buckets could lead to data exposure involving sensitive documents if not audited completely.

This incident highlights the importance of securing data in AWS buckets by restricting privileges.  Considering the competitive nature of service providers, disclosure of invoices could be very damaging to an organization if discovered by external parties. For example, one of the invoice documents reveals information about a firm’s consulting services, associated costs, and its Tax Identification Number (TIN) as shown below:

 

 

Figure 1: Invoice disclosing business consulting charges

 

 

Figure 2: Invoice disclosing service and product  costs

 

 

Figure 3: Invoice disclosing professional fees charged for a specific engagement

 

 

Figure 4: Invoice disclosing supply chain and delivery costs
 

If documents like the ones above were exposed, the results could be devastating from a business perspective. The potential repercussions of this exposure are clear, and below we list only a few that can damage the business and benefit the competition (or attackers):

  • Glean more information about the different types of services being offered.

  • Understand the different types of fees being charged by the company for specific services.

  • Collect sensitive information such as Tax Identification Number (TIN).

  • Understand the revenue generation model being followed by the company.

  • Underbid the company on RFPs to win projects.

Considering the above case studies, there are several points to ponder:

  • Are the documents being exposed by the business firms’ clients by mistake?

  • Are the documents being exposed by a malicious insider who wants to make the sensitive information public?

  • What would be the impact on the business if the documents were exposed and accessed by competitors?

  • Do the involved parties have a Cloud Access Security Broker (CASB) solution to monitor the activities in the cloud, analyze exposed content, and alert or remediate a business-sensitive exposure?


 As discussed earlier, exposure of sensitive documents in the cloud can have a substantial impact on the businesses irrespective of the sources and causes of the exposure. Considering the case discussed here, it shows how crucial it has become for an organizations to deploy to uncover and classify sensitive corporate data and then enable the organization to set policies around its use and sharing.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

07-23-2019 03:46 AM

The problem is not specific to a single cloud app provider but can occur when using any file sharing app. Whether an exposure happens to just a handful of documents or millions, the damage can be severe. the exposure of sensitive documents regardless of where it's stored is has to be one of the primary data security threats that companys face. Robust processes and procedures are a must. Security is missing from the cloud for many companies out there. When it comes to the importance of Cloud security, there are no two ways about it.With so many recent breaches and technological attacks, maintaining security has become all the more important.

09-15-2017 10:57 AM

This will always be an issue unless encreption is implimented, I have heard of targeted attacks from friends of this very nature. Alarming but steps can be taken to help reduce the risk.

09-09-2017 11:05 PM

Storing sensitive data in the cloud is a no no.... security 101 sensitive or important data needs to be secured and shared only when needed. There's many applications that can assistance with protection, ask your friendly neighborhood Symantec sales representative.

09-06-2017 08:35 AM

I agree with many of the previous comments, as the cloud becomes more pervasive in our infrastructure, this sort of security breech will be more common. As pointed out in the article, invoices are usually something a non-IT employee may store in the cloud without further thought. However, the liability of having non-secured financial documents makes security such as Symantec's critical.

09-01-2017 09:47 PM

I think most of the comments here focus on file sharing sites and that wasn't the problem.  It was misconfigured AWS Storage, not a Dropbox or a OneDrive issue.  So I think the difference here is what type of storage you are using.  If it was a Dropbox or a OneDrive or Google Drive issue then things would be much bigger of a deal and a bigger problem.  It is just a misconfigured AWS site which is a big problem.

Anyways be care ful setting up your AWS storage

08-31-2017 03:40 PM

Employ encryption where possible. This goes for in transit and at rest. If you encrypt before it ever goes on a shared wired or cloud service you'll be good. That's assuming you use strong encryption.

08-31-2017 01:07 PM

This is very worrysome! Does the cloud provider take responsibility if there is a document data breach or do they blame the company for not securing the documents? Securing the documents as in obscuring confidential info or just all together encrypting the document. This could very well turn into a long list of blame game while the affected companies stands by. 

08-31-2017 07:03 AM

I think a lot of cloud based technology seems to be aimed at individuals rather than businesses so these tools either need to get simpler/more transparent in the security options you are setting OR companies need to ban the use of products that haven't been approved/test at least for storing sensitive data. Most of this stuff should be common sense really

08-30-2017 03:03 AM

Understanding what the cloud really is and the types of information that can be stored in the cloud is an important first step to securing your organization’s cloud presence. 

Cloud storage can be a safe way to store large amounts of data, as long as you’re aware of what to look for when it comes to security. 

When it comes to the importance of Cloud security, there are no two ways about it.

With so many recent breaches and technological attacks, maintaining security has become all the more important.

This article describes the risk immensely. Hope we all learn from this wonderful example.

Regards,

08-29-2017 10:19 PM

The article made me start thinking of the mobile device in my pocket, almost everyone has the smart device, we save photos, emails, payment, invoices on the device, but not everyone know a lot of their data are automatically restored in the mobile carrier's cloud or a third party cloud space, not all cloud spaces are securely protected. Nice to see that Symanec has thought and method to guard the information.     

08-29-2017 03:07 PM

Way to go Symantec, nice find! As always you're showing us why we need cloud security more than ever. It's hard to believe that people are still putting information out there without restricting privledges.

08-29-2017 01:44 PM

The problem here is that so many users of technology with cloud capabilities do not know how to correctly secure their data and therefore leave it exposed for anyone to peruse. This actually happened to a member of my family where a medical assessment was found "on the internet" for anyone to see. When contacted, the company had no idea at all how this had happened, and therefore no idea at all as to how to remove the document from the internet.  We need stronger protection worldwide that would force companies to remove such data or face an enormous fine equal to say half annual turnover. This would focus the attention of negligent companies and hopefully protect personal information that is going to be stored in the cloud increasingly in the future.

08-29-2017 12:15 PM

Good article and nice catch @Symantec!

I don't know who this company is, but I feel terrible for them...The lack of proper Cloud security and valuable knowledgable engineers are really the cause of issues like this.  There needs to be bigger/better initiatives for all companies to get better engineers and increase security measures...

08-29-2017 11:23 AM

This blog highlights the need for experience AWS/cloud security engineers. The potential damage a company can face due to data leakage is the exact reason why individuals need training and procedures need to be in place. I know my company has a dedicated team for dealing with the cloud infrastructure, this includes someone dedicated to security.

08-29-2017 09:47 AM

So it seems to me that two things need to happen.  1) people that set up these document storage / sharing services for their companies need to know what they are doing!  Sounds obvious but clearly there are training needs here if these mistakes keep happening. And 2) the interfaces and the underlying code need to get simpler, more intuitive and smarter.  It needs to be more difficult to make cockups like this and it needs to be able to warn and prompt stakeholders of the information a list of who, or what types of users, have access.

08-29-2017 07:31 AM

Interesting article about Cloud. It is a great lesson for everyone, security is not an option. It is really important to evaluate every time how data are managed and especially how is safe all sensitive information stored on the cloud.

Nice to read the following sentences :"The exposure of sensitive or compliance related documents in the cloud has become one of the primary data security threats that organizations face today. Leakage of these documents, intentional or otherwise, can be potentially disastrous for an organization and result in compliance fines, mitigation costs, and loss of customer trust. The problem is not specific to a single cloud app provider but can occur when using any file sharing app."

Thank you for sharing this article.

08-29-2017 06:52 AM

Security is missing from the cloud for many companies out there. It's about convenience and accessibility for them. I'm not sure that they fully understand the repercussions should their "protected" data get out but it seems it's a chance they're willing to take for sake of ease of use.

08-29-2017 06:48 AM

If you're going to store anything sensitive in the cloud you must first check it's robust and secure. Good article, certainly highlights the risks!

08-29-2017 06:41 AM

Always going to be an element of risk storing business sensitive documents off site. You certainly seem to loose an element of control adn put truct in your hosting provider. Interesting article, thanks.

08-29-2017 06:23 AM

I agree, the exposure of sensitive documents regardless of where it's stored is has to be one of the primary data security threats that companys face. Robust processes and procedures are a must. Thanks for the read.

08-29-2017 06:19 AM

As these platforms become more and more accessible, I can only see cases like this becoming all the more common. While the kind of cloud security systems that the blog mentions are a great way to control this, I would expect (hope?) that hosting companies like Amazon will eventually produce a more tailored product for this kind of use. It's secure at an infrastructure level but that doesn't prevent the user from using it incorrectly

08-29-2017 04:19 AM

Whoever set up the services on the 'Cloud' must always ensure they are secure before putting any data on them, and always test the settings, permissions, etc regularly.

You can't just do an 'set it up & forget' - this will not work at all. If it's left open, anyone can find it. And abuse it. Even blackmail!

Related Entries and Links

No Related Resource entered.