How to Prevent Elasticsearch Breaches

    Jul 1, 2020 / by SecureCloudDB

    Data breaches are nothing new. They’ve been occurring for decades. Many times, cybersecurity hacks are cited as the cause. However, leaks aren’t always the result of malicious activity designed to exploit vulnerabilities. Oftentimes they occur as the result of human error, forgetfulness or lack of follow through. A security violation not only compromises the data an organization is responsible for, but also puts their reputation at risk. One such example occurred just a few weeks ago in May. SCDB Data Breach

    Justin Paine (aka Xxdesmus), a security  incident investigator who uncovers data leaks and shares the gorey details in his blog, “recently discovered an exposed ElasticSearch database when browsing BinaryEdge and Shodan.”  More than 8.3 billion records were leaked over a period of three weeks. 

    The database, consisting of four Elasticsearch nodes housing NetFlow and DNS query logs, was left open to the public internet by a subsidiary of Thailand-based telecommunications company Advanced Info Service (AIS). It’s not clear if that was the result of a misconfiguration, mistake or malicious intent. 

    Per Cisco, NetFlow uses a type of fingerprinting methodology, that creates “an environment where administrators have the tools to understand who, what, when, where, and how network traffic is flowing.”

    Domain Name System (DNS) logs are used to pinpoint the location of servers.

    Collectively, this information provides a trail of AIS customers’ internet activity, including what websites they visited, what applications they used, and the type of devices on their network. While some may not consider this information to be sensitive in nature, and even AIS deemed it “non-personal, non-critical sampling data,” others would argue it does provide valuable information.  

    In fact, The Tech Portal noted in it’s coverage of the event that, “this could prove to be valuable information for personalities such as journalists and activists as the logs would reveal their sources. Hackers could also use such records to target specific users, based on their browsing history.”

    Unfortunately, stories like this are not uncommon. In December of 2019, Microsoft exposes 250M customer service records via misconfigured Elasticsearch database and in March of 2020, more than five billion records were exposed after an Elasticsearch “data breach database” was left unprotected

    An increasing number of incidents underscore the need for organizations, including those that use public cloud databases, to take more precaution in securing their data. While cloud database providers build some security measures in, they don’t address every possible incident. 

    For example, an organization would benefit from using Amazon’s Elasticsearch Service, which provides cluster monitoring tools that are designed to let customers know when their data has been adjusted. Additionally, Amazon’s VPC, KMS keys, and IAM policies enable organizations to adhere to some security protocol best practices.

    But these measures do not empower an organization to confirm without a doubt that configurations are correct, that data is encrypted both at rest and in transit, or that human error has been eliminated across all of their public cloud database instances. The only way to do that, and in turn prevent data breaches, is by employing complementary processes and security tools designed to provide assurance that the databases are protected. 

    SecureCloudDB does just that. If AIS and its subsidiaries were using SecureCloudDB, the data leak would have been prevented. 

    See SecureCloudDB in Action


    As a part of locating and reporting on database inventory, running security violations assessments and calculating risk summary analysis, SecureCloudDB:

    • Checks for open Elasticsearch clusters, answering "Is my instance publicly accessible?" and making it obvious if action needs to be taken

    • Provides assurance that authentication is properly configured

    • Complements security protocol for AWS and Azure cloud databases 

    Don’t let your organization become another statistic; another headline; another inductee into the data security hall of shame. Employ solutions that eliminate doubt and provide assurance that data is protected. 


    Tags: Elasticsearch, Data Breaches

    Written by SecureCloudDB