Published : 06.20.2021
Last Updated : 06.01.2022
In the latest data disaster, a database owned by a cybersecurity analytics firm leaked 5 billion records, exposing names, passwords, and email addresses online. The exposed data came from Cognyte, a cyber-intelligence service that alerts users to potential data breaches. The reason behind the leak? The same as many others in recent years…an unsecured database.
On May 29, 2021, security researcher Volodymyr “Bob” Diachenko discovered customer data belonging to Cognyte after it leaked online at least four days earlier. Researchers immediately notified Cognyte, which secured its database on June 2. It’s unknown whether bad actors used the leaked data in the short time it appeared on search engines. Cognyte says not all its leaked data contained passwords, but the company couldn’t name the percentage that did.
“We do not know if any other third parties were accessing the data when it was exposed, nor do we know for how long it was exposed before being indexed by search engines,” Cognyte told CISOMAG. “Our honeypot experiments show that attackers can find and access exposed data in a matter of hours.” Cognyte has since resolved the issue.
Cognyte stores its data on Elasticsearch, a powerful search and analysis engine that uses data nodes for performance and stability. Elasticsearch groups nodes into ‘clusters,’ allowing users to search, index, and distribute tasks across those nodes. Elasticsearch is an incredibly valuable tool for organizations like Cognyte, but it’s notoriously easy to make a human error, and configuring clusters is even tougher. A simple misconfiguration can cause all kinds of problems, including a very leaky database.
That’s exactly what happened in the Cognyte breach. A ‘misconfigured’ Elasticsearch meant that the company’s data went ‘public’ for at least four days with no one noticing. The exposed database provided open access to sensitive data like names, passwords, and email addresses.
Cognyte, which has over 1,000 customers in 100 countries, isn’t the only enterprise to suffer a data breach at such an enormous scale. An unsecured database without password protection, like the one that belonged to Cognyte, allows unrestricted access to almost anyone anywhere online.
Elasticsearch supports permissions that enable authenticated identities to submit access control requests on behalf of other identities. If another application already authenticates identities, that app can change access controls according to Elasticsearch’s permissions, and this is where problems start. In short: Outsiders can penetrate an enterprise’s cloud by using Elasticsearch’s ‘run as’ mechanism to ‘permission chain’ their way through an organization.
There are other issues. If the same owner exists on several objects in multiple databases, and a stored procedure accesses these objects, a user doesn’t need to grant permission to every object the procedure wants to access. In this scenario, the procedure can access all objects that share the same owner. That means unauthorized persons can infiltrate the cloud with reconnaissance, enumeration, and by obtaining a list of predictable role names. All they need to do is find a match. It sounds unlikely, but it happens all the time, and, like Cognyte discovered, it brings colossal ramifications.
What often happens next is textbook cybercrime. Unauthorized persons acquire valuable data from the cloud, decrypt it via their new roles, and access super-sensitive information while remaining undetected. Thanks to Bob’s discovery, Cognyte fixed their leaky database within days, but other companies haven’t been so lucky.
All good cloud providers alert users about basic misconfigurations and keep identity access management (IAM) roles secure by default. However, some organizations ignore these alerts and override permissions, which causes serious risk. That’s why enterprises require an automated solution that gives far more security than even the best cloud service providers.
Enterprises using a complete enterprise cloud security platform with CSPM can mitigate misconfiguration challenges by informing teams about potential risks with specific system reports.
Pro-tip: Enterprises should also incorporate checklists into their security protocols so all team members know the cloud best practices that reduce misconfiguration errors when using services like Elasticsearch. Sonrai Security has checklists for:
Teams using these resources can prevent a data breach like the one that happened to Cognyte with the right solution. Sonrai Dig is an enterprise cloud security platform that secures identities and data across cloud environments for unparalleled peace of mind. It does this by keeping an inventory of identity and data relationships, monitoring CSPM baselines, and then alerting users about potential security risks. The result? Teams know immediately when unauthorized identities access data, not four days later.
Dig delivers a complete risk model across cloud accounts, cloud providers, and third-party data stores, and it solves the ever-complex cloud security challenges that data-driven enterprises face every day. With Dig, users:
Cloud providers use different services and APIs for IAM and don’t address third-party data stores. Dig solves these issues by standardizing identities and data across platforms and providers.
Misconfigurations result in all kinds of data management ramifications. Cognyte learned this the hard way. Going back to cloud security basics and investing in an automated solution prevents unauthorized persons from compromising sensitive data.
Enterprises can prevent a leaky database by following the recommendations above and reaching out to Sonrai for help with securing cloud resources. Learn more here.