Most organisations are failing to put the necessary protections around data in virtual environments, leaving them wide open to attack, says Jason Hart, vice-president cloud solutions, SafeNet.
“In the virtual world, the basic security principles of confidentiality, integrity and accountability – the CIA triad – are widely ignored,” he told attendees of RSA Conference Europe 2012 in London.
As proof, Hart said that a scan that he had conducted earlier in the day had found 3,500 virtual servers connected to the internet.
“This is crazy. These servers are totally unprotected. It is like putting a Windows server on the web. This is making it extremely easy for hackers,” he said. “In a virtual world people seem to forget everything that has been learned in the past 15 years about protecting data.”
According to Hart, such exposed servers can be penetrated in 60 seconds using a simple tool to find and decrypt the admin passwords, by running the password hash against rainbow tables, to gain full control.
“In the virtual world, once you are in the root, you are everywhere. As an industry, we need to move beyond username and passwords to access data. They are easy to find and, once you have them, you can bypass everything.”
To prove how easy it is, Hart ran a demonstration using an undetectable wireless network sniffing device called Pineapple, available, with an arsenal of software tools, from Hak5 for under £70.
Read more from RSA Europe:
- RSA Europe: Security must take human factor into account
- RSA Europe: Security concerns whole supply chain, says Misha Glenny
- RSA Europe: New intelligence-led security model needed
He logs into a virtual environment and a cracking tool, bundled with the device, immediately displays his username and password, despite the fact that the virtual environment is using secure HTTP.
“These devices are battery-powered and could be smuggled into any organisation to sniff the traffic internally as well as externally,” Hart said.
Many organisations, or employees within organisations are also using virtual online services such as DropBox, but usernames and passwords for these services are also easy to find, he said.
Hart demonstrates how simple searches using Boolean operators can yield the contents of these virtual storage services.
“Organisations that use these services need to be aware of these problems,” he said. They also need to be aware that is their responsibility to keep their data safe. Many organisations assume the data is protected by the providers of the services, said Hart, but that is not often the case.
The user agreement of Amazon Web Services (AWS), for example, clearly states that Amazon provides no guarantee of confidentiality or integrity of the data. “This is not widely understood by organisations using these services,” said Hart.
Although complicated, he said, Google search can be used to pull out the encryption keys for passwords to AWS, but it is also vulnerable to a free hacking tool specifically designed to make that easy to do.
“Using this tool, hackers can home in on any organisation of their choice, to find the passwords to all the virtual services people within the organisation are using,” said Hart.
Where organisations use Microsoft Excel spreadsheets to store credentials, again Google search can be used to find them simply by typing in the search terms: password ext:xls.
Despite that fact that many organisations are routinely exposing their information to attack, Hart said it is a problem that is easy to fix simply by adhering to the classic CIA triad security principles.
Confidentiality and integrity are the most important, he said, which is why – in the virtual particularly – it is imperative to encrypt data, or at least critical elements of it, so if a virtual store is hacked, the data is protected.
“People have shied away from encryption, but it is no longer difficult or expensive,” he said.
Simply by getting back to the CIA triad basics, encrypting data and switching to better password controls and techniques such as one-time passwords, organisations can vastly improve the security of data in virtual environments, said Hart.
“Assume that at some point that you will be compromised, so ensure it is a ‘secure breach’ by encrypting the key data,” he said.
Organisations using virtual environments, internally or externally, should also be prepared to answer all the auditors’ questions about what type of data it is, who has access, how it is protected, where it is stored, and how it is disposed.
“While many service providers do not take responsibility for data security, AWS operates a shared responsibility model in the cloud, whereby all security best practices that apply on-premise also apply in the cloud,” said Hart.
Customers that want additional protection due to compliance or business regulations, he said, will often also implement an additional layer of data protection, using products available.