Instagram breach shows the dangers of faster development cycles
Millions of Instagram recently had their contact data scraped and exposed due to exposure to a third party, a new signal that enterprises need to do more to protect sensitive information.
Very often, we find that some database accessible storing private, sensitive data in the application layer is accessible over the internet. In most cases, there is no inherent security built into these databases. That is because they are meant to be accessed by other services and applications in the application tier – post authentication.
There is a notion of explicit trust between the services/applications using these databases. In cases where these databases have some security/authentication support, it is usually not turned on, in order to serve queries as fast as possible, based on the explicit trust model.
As these application tiers are changing very rapidly due to fast dev-ops cycles, there is frequent change happening in that application tier. In some instances, these changes leave sensitive databases wide open for access from the public internet.
These unintended exposures are due to errors in firewall policies, moving of security zones, moving of workloads and load balancing. Unfortunately, enterprises don’t discover such errors until after such a breach is widely reported on by media, and a lot of damage to users and to the brand has already resulted. There have been are similar breaches in the past, such as the high profile one involving the USPS.
How is this happening? The attackers are constantly scanning open/accessible servers/services on the internet. They are getting more focused on services that are hosted in the Public/Private cloud environments, where they know environments change frequently, which leads to higher probability of errors in security policies.
When they discover such sensitive databases, they go after scraping as much data they can from them. That’s what happened to USPS in the past, and to Instagram influencers today.
Here are issues that enterprises need to solve: An application tier visibility and lockdown mechanism; scanning their own application tier through tools similar to the ones that hackers are using; and conducting a regular review of security policies, firewall rules, workload zones etc., both for themselves and for third parties.