Shared Responsibility & Cloud Security: Someone Else’s Problem?

2–27–2023 (Monday)

Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.

I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io

Today is Monday February 27th, and much of the country is getting an additional dose of winter - irregardless of how much we might all want to see more signs of Spring. Hang in there!

This week’s One Big Thing centers on a leak of Department of Defense emails in Microsoft Azure.

Let’s dive in.

“Shared Responsibility” and The Bystander Problem

News broke this week that the US Department of Defense had exposed a server hosting “about three terabytes of internal military emails, many pertaining to U.S. Special Operations Command, or USSOCOM, the U.S. military unit tasked with conducting special military operations.”

Worse - “a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.”

While this server is said to have not contained classified information, it certainly held sensitive information - including copies of the SF-86 background check form, containing sensitive PII and PHI on US special operators - the same type of form targeted by China in their hack on the Office of Personnel Management some years back.

Obviously, this data would be a bonanza for foreign military and intelligence services, but more than that, it’s a stumble that feels like we shouldn’t be seeing in 2023, particularly out of Azure and Special Operations Command.

It’s unclear who deployed the sever in question with this misconfiguration - likely a contractor, or even a sub-contractor or complex network of subcontractors - but the problem is that this sort of thing shouldn’t happen in a FedRAMP or similarly secured cloud.

It should serve as a reminder that configurations are critical, and that awareness of the activities on the networks and systems that you use to handle sensitive data are critical.

The final sentence of the article reads as follows:

“TechCrunch asked the Department of Defense if it has the technical ability, such as logs, to detect any evidence of improper access or data exfiltration from the database, but the spokesperson did not say.”

This isn’t uncommon - and makes investigations difficult, if not impossible. Without logs, we’ll likely never know how many times this data was accessed, from where, and how much, if any, was exfiltrated.

At the same time, we’re finally seeing movement on Executive Order 13984,  which “would require cloud providers like Google, Amazon and Microsoft to implement stricter measures to verify the identity of their users — what is often referred to as “know your customer” regulations.”

“We should not be a source of malicious cyber activity emanating out of the U.S. and affecting other countries any more than we would want to be the victim of malicious cyber activity emanating from their countries,” the official said.

Certainly the cloud is going to get more attention in the .gov world in the weeks and months ahead, but it should be getting just as much attention from your teams now. The cloud isn’t secure by default, and cloud providers are often leaving some to be desired in terms of the security controls they are willing to be responsible for. A good reminder that the cloud is only a fancy way of saying “someone else’s computer” - and anything they don’t setup, your’e responsible for.

Fundraising

Very small fundraising week, dominated by the new $2.5B sports-focused fund from Arctos - though there was news that Warburg Pincus is raising a 3B yuan-denominated fund ($439M in USD) to invest in China.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.

Links

https://techcrunch.com/2023/02/21/sensitive-united-states-military-emails-spill-online/?guccounter=1

https://www.federalregister.gov/documents/2021/09/24/2021-20430/taking-additional-steps-to-address-the-national-emergency-with-respect-to-significant-malicious

Previous
Previous

LastPass Update: Senior Engineer’s Home Network Hacked, Key Material Stolen, Corporate Vaults Lost

Next
Next

Quantifying Ransomware’s Impact / Supply