NordVPN’s password manager division, NordPass, recently published a report detailing that 10 billion records were found exposed in unsecure databases worldwide from June 2019 to June 2020. Unfortunately, these data breaches come with heavy costs - both for the individuals whose information is compromised, and for the companies who are responsible. What are some of the root causes behind this issue, and how significant of a risk do unsecured databases pose for enterprises?
MongoDB and Elasticsearch (ES), two leading solutions cited in the NordPass study, both have NoSQL data stores available in free, open-source configurations and cloud environments. The same features that make ES, MongoDB, and other modern storage solutions user-friendly and adaptable to complex, dynamic data environments, can also invite security challenges.
It’s not that ES or MongoDB are riddled with critical vulnerabilities inherent to their systems - neither has had Common Vulnerability Exposures (CVEs) with a CVSS score above 7.5. Rather, the main challenge lies with configuration management. Because the default versions of ES and MongoDB lack some security features, including authentication and encryption, it’s important for enterprises to configure instances according to the latest security checklists, and to download security-focused extensions such as XPack or Open Distro. Enterprise workflows should be built around security, by including configuration checks before pushing to production, and steps to purchase enterprise security-grade subscriptions before free trial versions expire.
Attackers are interested in this attack vector for two main reasons. Firstly, it’s relatively easy to detect an unsecured database via scanning. A simple Shodan search query can immediately identify thousands of Internet-facing databases. A recent Comparitech study tracked an average of 20 attacks per day on an Internet-exposed MongoDB honeypot (a fake target set up to study threat actor interest and techniques) with 40% of requests to steal or destroy data, many via automated bots that make this a plug-and-play approach for attackers.
Secondly, it’s a direct access point to enterprise data. The attackers behind this summer’s “Meow” attacks caused major headaches for enterprises by deleting all data found in their exposed ES and MongoDB instances, leaving a simple “meow” as a calling card. Some actors seek payment in the form of ransom by stealing the exposed data and threatening to leak it or report users for GDPR violations. Others look for profit by selling the stolen data on the dark web or to other interested parties. Still others may aim to breach the target’s systems, by harnessing stolen credentials for account takeover attacks, or using the exposed database as an entry point to infiltrate the network.
Understanding organizations’ risk management controls and security hygiene around stored data via tools such as CyberCube’s Account Manager and Broking Manager products can help insurers make informed decisions. Three core mitigations for this risk are:
- Hiding enterprise databases behind firewalls, virtual private networks (VPNs), or reverse proxies, and configuring them in a private IP address range
- Implementing password strength, complexity, and update requirements to secure databases
- Training teams to update new and open-source tools past basic configurations and deploy proof-of-concepts in separated non-production environments.
Research firm IDC projects that over the next two years, enterprise data will grow at a 42.2% annual rate. As data storage requirements continue to grow for enterprises alongside increasing regulatory and financial liabilities, it will be important to develop new strategies and processes to stay on top of this attack surface, protecting theirs and their customers’ data.
