The caveats of the unseen: Crouching exposure, Hidden Misconfiguration presented at AppSecIndonesia2020 2020

by Ashwin Vamshi,

Summary : The complexity and number of enterprise cloud applications has resulted in a constant stream of misconfigurations and data exposures breaches. This work is a deep dive into the different types of misconfiguration that lead to cloud data breaches. We examine sensitive data exposures across more than 20 apps -- including meeting apps and project management tools -- and analyze them across three different dimensions. Our goal is to provide a framework that organizations can use to identify and prevent cloud data exposure. We classify the risks according to how they arise: Independent risks happen within a single app, such as accidentally exposing a bucket publicly in Amazon S3. Interconnected risks happen when multiple apps interact, such as configuring Slack notification in Confluence. Interconnected risks are typically a major data transfer blindspot for organizations, who don’t have visibility into data flowing from between apps. We will demo this by creating a nearly invisible command & control channel for an insider to steal sensitive data. Next is the extent to which data can be exposed: Public data is exposed to the entire Internet External data is shared with individuals outside an organization Internal data is shared within one’s organization. We provide two examples of internal data breaches. Finally, we analyze the risk factors that contribute to misconfiguration: Design factor, exposure from the design of the app, such as Google Hangouts image links. Default factor, exposure by the default sharing settings of the app, such as Google Groups default visibility. Human factor, exposure from users applying inappropriate permissions, such as using Google Drive “anyone with link” option for confidential files. Finally, we shed light on how attackers can abuse misconfigured cloud apps. We conclude the talk by providing vendor agnostic recommendations and security controls that can aid organizations to mitigate exposure risks.