The evidence is clear — open infrastructure ports lead to security vulnerabilities. When AWS S3 buckets or SSH ports are left open, they can leave your organization at risk for security breaches.
For example, in July 2018, an open S3 bucket at a political autodial company, Robocent, exposed nearly 2,600 files relating to political campaigns. The leak included voter records containing sensitive information such as phone numbers, gender, and birth dates. The files were then indexed by GrayHatWarfare, which has a database of 48,623 open S3 buckets.
Leaks like Robocent’s highlight the need for organizations to maintain visibility into where data is located within their cloud infrastructure, as well as whether the storage system is risk-appropriate given the sensitivity of the information. It’s easy, but never acceptable, for a fast-growing or seasonal organization like this one to lose track of that risk over time.
It’s important to ensure that certain gateways into your infrastructure are password protected or are configured properly to prevent events like this from affecting your organization. That’s why, in this post, we’re highlighting how to find and remediate open infrastructure ports.
Leaving the Front Door Open to Attackers
Issues like wide open SSH and critical misconfigurations are responsible for some of the biggest exposures in the recent past (Verizon, Dow Jones, and the RNC). In a recent eye-opening study, Threat Stack found that 73% of companies have at least one critical security misconfiguration, such as remote SSH open to the entire internet. By “critical,” we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.
What’s more, organizations are also neglecting basic security measures, such as enabling multi-factor authentication (MFA) and regularly updating and patching software vulnerabilities. Fewer than 13% of organizations analyzed were keeping software updates current, and 62% of organizations failed to enable MFA. This data shows that without knowing it, many companies are leaving the front door wide open to attackers — and putting highly sensitive data at risk in the process.
3 Tips for Finding and Fixing Misconfigurations
Security and Operations professionals need to share responsibility for configuring systems with security in mind from the outset, as well as finding and fixing misconfigurations on a consistent basis.
Here are three tips to help you ensure that you’re looking out for open infrastructure ports:
1. Conduct Regular Configuration Audits
Many organizations assume everything is fine, neglecting to conduct regular configuration audits. These audits, however, can make a large difference, alerting your team to open infrastructure ports and other misconfigurations. It’s essential that you establish an accurate baseline of security across your AWS infrastructure. Once you have a baseline, you can scan account configurations and compare them against best practices and policies for AWS and Center for Internet Security (CIS) benchmarks.
2. Leverage Data From AWS CloudTrail
AWS CloudTrail alerting is an important component of finding and fixing misconfigurations. CloudTrail automatically sends alerts about changes to instances, security groups, S3 buckets, access keys, and other changes. But be sure that you actually deploy this service in the first place! Why? Our research shows that AWS-native security services such as CloudTrail are not being deployed universally (27%) across all regions.
3. Mind Your Credentials
It may seem obvious, but you can ameliorate open infrastructure ports by relying on cybersecurity best practices around account security and credentials. That means using two-factor/multi-factor authentication, as well as rotating security credentials or making use of temporary credentials. These are basic security tenets, but many organizations neglect to keep their authentications in check, as evidenced by the recent Timehop breach, which was caused by an absence of two-factor authentication.
When It Comes to Ports, Knowledge is Power
The fastest way to fix a misconfiguration is to deal with it the moment it happens. If you can set up your configuration auditing tool of choice to alert you the moment a misconfiguration is detected, you can take action on it before it’s out on the internet for all to see.
Functionality like Threat Stack’s Configuration Audit uses CloudTrail monitoring to give visibility into any changes made associated with AWS configurations. Someone creates a security group that is wide open to the world? We’ll alert you. New IAM user created without MFA? We’ll alert you. It’s a powerful one–two punch: Configuration Audit will give you the snapshot, and CloudTrail monitoring allows you to keep up with your infrastructure and be alerted to misconfigurations in real time.
Threat Stack gives you contextual visibility to determine whether a misconfiguration has been exploited and what path the attacker used. With this level of information, you can not only fix the issue at hand, but avoid similar misconfigurations in the future.
Final Words . . .
The best course of action for dealing with infrastructure ports is prevention: Make sure they’re secure from day one as part of your organization’s ongoing, proactive security program. The next best step is to take actions that continuously search for and identify security issues throughout your infrastructure so you can take timely action to prevent or address problems.
If you’re interested in obtaining a better understanding of your organization’s security maturity, and what you can do to systematically improve your cloud infrastructure security practices, complete our free Cloud SecOps Maturity Assessment.