Weekly Video: October 31, 2022

Written By Shay Colson

10–31–2022 (Monday)

Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies. I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io

Today is Monday, October 31st, so Happy Halloween!

I thought about doing a themed issue, but figured that cybersecurity was scary enough that we didn’t need to amp it up any more than it already is.

This week, we’ll look at two examples of cloud misconfigurations and then highlight some of the good work that CISA continues to produce. And we’ll cover it all in 5 minutes or less:

  1. FTC v. Drizly

  2. Microsoft Leaks Prospective Client Data, Amazon Leaks Prime Viewer Data

  3. CISA still doing yeoman’s work

FTC v. Drizly

The biggest story of the past week, at least to me, comes from the FTC’s proposed order against alcohol delivery startup (and $1.1B Uber acquisition) Drizly, and in particular, their CEO Cory Rellas.

The FTC continues to be very active in their enforcement, and seems to be generally taking the perspective that “you don’t have to do EVERYTHING, but you do have to do SOMETHING. And if you know you have a problem, don’t do anything about it, and bad things happen, you’re gonna hear from us.”

Here, the FTC is emphasizing two issues, both involving GitHub exposures, and resulting in losing 2.5 million customer’s data.

In particular, however, it’s wroth noting that beyond simply making changes at Drizly, the FTC is specifically requiring Rellas to implement an information security program at any company he moves to in the future.

This personal inclusion is pretty novel, and did see some dissent from a couple of FTC Commissioners, but should be catching the eyes of executives and board members at consumer-facing companies whose information security practices aren’t up to snuff.

Microsoft Leaks Prospective Client Data, Amazon Leaks Prime Viewer Data

Turkish security researchers SOCRadar disclosed a data leak from Microsoft’s own internal operations in Azure, associated with more than 65,000 companies in 11 countries and included statement-of-work documents, invoices, product orders, project details, signed customer documents, product price lists, personally identifiable information (PII), and potentially intellectual property as well.

Microsoft blamed the issue on an unintentional misconfiguration on an endpoint containing the data, and said SOCRadar "greatly exaggerated the scope of this issue," with some duplicate data that exaggerated the numbers.

Microsoft really tried to downplay this event, noting that “no customer accounts or systems” were impacted, wagged their finger at SOCRadar for making the data searchable, and generally tried to sidestep their own shortcomings.

The truth is that this was a simple misconfiguration in a cloud storage bucket that went unnoticed for years. And this can happen even at a company like Microsoft.

Not to be outdone in the cloud wars, Amazon followed Microsoft with their own data loss incident due to misconfigured cloud storage. This was also disclosed by a security researcher, though a different one than Microsoft’s.

In this case, a database with more than 215 million entries of viewer data from Amazon’s Prime Video platform was left accessible to the internet. Like Microsoft, Amazon claimed this was simply a deployment error and that AWS is secure and there’s generally nothing to see here. Meanwhile, “viewing data including name of the show or movie, device, and other internal data” like network quality and Prime subscription details were all included.

The big takeaway to me is simply the difficulty of getting these things right, every single time, and the challenge that we can run into when we see scale like this. If public exposures of customer data can happen at both Amazon and Microsoft in the same week, it should serve as a reminder to all of us to make sure that we’ve got consistent deployment best practices in place, and the ability to detect misconfigurations before the security researchers do it for us in a blog post.

CISA Still Doing Yeoman’s Work

The Cybersecurity & Infrastructure Agency - the US Government Agency better known as CISA - continues to simply put out good, solid content - ranging from a continually updated catalog of known exploited vulnerabilities to collaborative alerts with other government agencies or thoughtfully created best practices documents.

I think it’s worth highlighting the fact that CISA continues to just plod ahead, building an impressive body of work brick by brick.

If you haven’t been following their work particularly closely, I would call your attention to three things:

  1. Known Exploited Vulnerabilities Catalog. The pace of newly discovered vulnerabilities far exceeds humans ability to digest and comprehend. Instead, I’d suggest organizations - even those with automation included in their vulnerability management programs - work to ensure that everything in this list that CISA provides is patched. They’ve done the hard work of gathering real intel about what threat actors are exploiting in the wild - and you can benefit from that work by patching those vulnerabilities.

  2. Joint Announcements. This week, CISA teamed up with the FBI and the Multi-State Information Sharing & Analysis Center (MS-ISCA) to do a deep dive for industry on Distributed Denial of Service (DDoS) attacks. They lay out the issue and what you can do to prevent or combat the issue. Bringing these together in just a few pages is a tall order, and CISA does it consistently well.

  3. Cross-Sector Cybersecurity Performance Goals. Despite the mouthful of a title, this document does a fantastic job of bringing together some core best practices for small and medium organizations, along with references to both the NIST Cybersecurity Framework and the MITRE ATT&CK framework, both of which can be used to further enhance a security program. The document is well-written, plain language, and actionable for organizations of all sizes. All of your security leads for your portfolio companies should review this document and ensure they are acting on the recommendations.

Finally, they’re also pushing ahead with work on election security, improving K-12 security, and other critically important sectors. If you’re not leveraging their work to improve your own security efforts, you’re missing a tremendous opportunity.

Fundraising

Back to the big numbers this week, with more than $24B in newly committed capital, cooking along at a pace of nearly $3.5B per day. I mean, that’s more than half a Twitter raised in just a single week! Congrats to all the new funds and fund managers now looking to put this capital to work.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.

LINKS:

https://www.darkreading.com/cloud/microsoft-data-exposure-incident-highlights-risk-of-cloud-storage-misconfigurations

https://techcrunch.com/2022/10/27/amazon-prime-video-server-exposed/

https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf

https://www.cisa.gov/sites/default/files/publications/understanding-and-responding-to-ddos-attacks_508c.pdf

Shay Colson
Previous

Weekly Video: November 7, 2022
Next

Weekly Video: October 24, 2022