Why open databases are easy pickings for cyber criminals

By David Sygula, Senior cybersecurity analyst at CybelAngel

A truly colossal amount of personal data is routinely leaked or stolen on a daily basis. Research has found that over 36 billion records were exposed in 2020 alone.

Many of these breaches were the result of highly sophisticated cyber attacks that are difficult for even the most well-protected firms to stop. But the truth is that countless records are left exposed online, requiring a criminal to do little more than locate them to cause a breach.

The biggest issue is open databases, which are believed to be the cause of 86 percent of all publicly accessible sensitive data sets. These are databases which have been set up with no security controls, often lacking even a basic username/password requirement, which means they are freely accessible to anyone who can locate them. These misconfigurations are responsible for 67 percent of enterprise data breaches.

Open data is like chum in the water for cyber criminals, and likely to be found and raided by attackers quickly and repeatedly. So how damaging are exposed databases, and what can be done to secure them?

The mounting cost of unsecured data

Some of the largest breaches in recent times have stemmed from unsecured public databases. In June it was discovered that a database of 815 million records was left unprotected by web hosting company DreamHost. Last year, BlueKai, a data analysis platform owned by Oracle was found to have left potentially billions of records exposed through an unsecured server.

Such breaches can be cripplingly expensive for the data holder. The average cost of a breach involving 40-50 million records was estimated to be $364 million in 2020, an increase of $19m from the year before. The average cost in 2020 jumped to $388 million for incidents involving more than 50 million records.

Alongside the obvious motivation of financial gain open databases may also be targeted by “Meow” attacks, which are thought to be a form of radical advocacy for data privacy. Data is completely deleted from the unsecured database, without an accompanying threat or ransom. The unusual name comes from the fact the original index is given a new name ending in ‘meow’. One of the first prominent Meow attacks hit UFO VPN, which had previously made the headlines due to another breach that exposed customer data that had been stored in plaintext.

Whether misguided activism or simply a prank, these attacks are less damaging than criminal theft, but still problematic for the organisation. Not only do they have to contend with the repercussions of data loss, but the very nature of the attack makes it more difficult to identify the security vulnerabilities that were the root cause of the attack.

Why are databases left exposed?

Attackers can quite easily sniff out public databases using automated scanning tools. If the misconfiguration extends to a lack of any form of security control, they will simply be able to access the datasets immediately and copy, encrypt or delete as desired. Even when username/password measures are in place, they are often minimal at best, using common combinations or credentials that have been stolen in previous breaches.

Research found indicates that MongoDB databases are the ones often hit by criminals as they are left publicly discoverable online and unprotected. However, this is likely due, in part, to the popularity of MongoDB rather than a particular failing, and these issues are common across most database types. We also found the majority of database security failings stem from third party and open source software.

However, while technology is a key factor in database exposure, it is human error that tends to have the greatest impact. Common issues such as publicly discoverable databases that lack password protection will likely be the result of personnel that lacked the time, resources or knowledge to configure them correctly when they were first created. Similarly, neglecting routine tasks such as applying update patches will leave databases vulnerable to new malware and attack techniques.

Minimising the risk

It is accepted wisdom that some security breaches are unavoidable. An attack exploiting an unknown unknown is extremely difficult to detect and prevent before damage is inflicted. The majority of breaches involving databases however are the opposite.

The main principle for effective database security is getting the basics right. Fundamental steps such as disabling a cloud database so that it is not publicly discoverable and ensuring that effective access controls are in place need to be completed every time any asset goes online. Likewise, good security hygiene around things like patch applications and credential reuse need to be followed to keep databases secure.

To achieve this, firms not only need to have the right processes and tools in place, but also ensure that staff have the training and capacity to carry them out. Businesses need to make a judgement call whether it is best for them to develop these skills internally or outsource to a specialist.

Organisations can also take steps to ensure their current IT estate is properly hidden and protected. Comprehensive IP scanning can help to detect leaks of sensitive and mission critical data, revealing databases that have been left publicly discoverable, as well as data that has already been breached. Ideally this should cover other assets such as OT, IoT, cloud applications and code repositories – anything that can potentially host sensitive data and is exposed to the internet.

Firms also need to detect signs of attempted and successful attacks as quickly as possible, improving their chances of disrupting the kill chain early into the attack.

With so much data already out in the world, and so many relentless threat actors targeting it, the staggering number of records breached every year is unlikely to go down any time soon. By taking the time to get the basics right and building a strategy around quickly detecting and preventing breaches, organisations can minimise their chances of becoming yet another breach statistic.

By David Sygula, Senior cybersecurity analyst at CybelAngel

A truly colossal amount of personal data is routinely leaked or stolen on a daily basis. Research has found that over 36 billion records were exposed in 2020 alone.

Many of these breaches were the result of highly sophisticated cyber attacks that are difficult for even the most well-protected firms to stop. But the truth is that countless records are left exposed online, requiring a criminal to do little more than locate them to cause a breach.

The biggest issue is open databases, which are believed to be the cause of 86 percent of all publicly accessible sensitive data sets. These are databases which have been set up with no security controls, often lacking even a basic username/password requirement, which means they are freely accessible to anyone who can locate them. These misconfigurations are responsible for 67 percent of enterprise data breaches.

Open data is like chum in the water for cyber criminals, and likely to be found and raided by attackers quickly and repeatedly. So how damaging are exposed databases, and what can be done to secure them?

The mounting cost of unsecured data

Some of the largest breaches in recent times have stemmed from unsecured public databases. In June it was discovered that a database of 815 million records was left unprotected by web hosting company DreamHost. Last year, BlueKai, a data analysis platform owned by Oracle was found to have left potentially billions of records exposed through an unsecured server.

Such breaches can be cripplingly expensive for the data holder. The average cost of a breach involving 40-50 million records was estimated to be $364 million in 2020, an increase of $19m from the year before. The average cost in 2020 jumped to $388 million for incidents involving more than 50 million records.

Alongside the obvious motivation of financial gain open databases may also be targeted by “Meow” attacks, which are thought to be a form of radical advocacy for data privacy. Data is completely deleted from the unsecured database, without an accompanying threat or ransom. The unusual name comes from the fact the original index is given a new name ending in ‘meow’. One of the first prominent Meow attacks hit UFO VPN, which had previously made the headlines due to another breach that exposed customer data that had been stored in plaintext.

Whether misguided activism or simply a prank, these attacks are less damaging than criminal theft, but still problematic for the organisation. Not only do they have to contend with the repercussions of data loss, but the very nature of the attack makes it more difficult to identify the security vulnerabilities that were the root cause of the attack.

Why are databases left exposed?

Attackers can quite easily sniff out public databases using automated scanning tools. If the misconfiguration extends to a lack of any form of security control, they will simply be able to access the datasets immediately and copy, encrypt or delete as desired. Even when username/password measures are in place, they are often minimal at best, using common combinations or credentials that have been stolen in previous breaches.

Research found indicates that MongoDB databases are the ones often hit by criminals as they are left publicly discoverable online and unprotected. However, this is likely due, in part, to the popularity of MongoDB rather than a particular failing, and these issues are common across most database types. We also found the majority of database security failings stem from third party and open source software.

However, while technology is a key factor in database exposure, it is human error that tends to have the greatest impact. Common issues such as publicly discoverable databases that lack password protection will likely be the result of personnel that lacked the time, resources or knowledge to configure them correctly when they were first created. Similarly, neglecting routine tasks such as applying update patches will leave databases vulnerable to new malware and attack techniques.

Minimising the risk

It is accepted wisdom that some security breaches are unavoidable. An attack exploiting an unknown unknown is extremely difficult to detect and prevent before damage is inflicted. The majority of breaches involving databases however are the opposite.

The main principle for effective database security is getting the basics right. Fundamental steps such as disabling a cloud database so that it is not publicly discoverable and ensuring that effective access controls are in place need to be completed every time any asset goes online. Likewise, good security hygiene around things like patch applications and credential reuse need to be followed to keep databases secure.

To achieve this, firms not only need to have the right processes and tools in place, but also ensure that staff have the training and capacity to carry them out. Businesses need to make a judgement call whether it is best for them to develop these skills internally or outsource to a specialist.

Organisations can also take steps to ensure their current IT estate is properly hidden and protected. Comprehensive IP scanning can help to detect leaks of sensitive and mission critical data, revealing databases that have been left publicly discoverable, as well as data that has already been breached. Ideally this should cover other assets such as OT, IoT, cloud applications and code repositories – anything that can potentially host sensitive data and is exposed to the internet.

Firms also need to detect signs of attempted and successful attacks as quickly as possible, improving their chances of disrupting the kill chain early into the attack.

With so much data already out in the world, and so many relentless threat actors targeting it, the staggering number of records breached every year is unlikely to go down any time soon. By taking the time to get the basics right and building a strategy around quickly detecting and preventing breaches, organisations can minimise their chances of becoming yet another breach statistic.