SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
The personal details of thousands of individuals who submitted job applications to an international security firm were exposed online due to an unprotected storage server set up by a recruiting services provider.
Chris Vickery of cyber resilience firm UpGuard discovered on July 20 an Amazon Web Services (AWS) S3 storage bucket that could be accessed by anyone over the Internet. The server stored more than 9,400 documents, mostly representing resumes of people who had applied for a job at TigerSwan, an international security and global stability firm.
The documents included information such as names, physical addresses, email addresses, phone numbers, driver's license numbers, passport numbers and at least partial social security numbers (SSNs). In many cases, the resumes also provided information on security clearances from U.S. government agencies, including the Department of Defense, the Secret Service, and the Department of Homeland Security. Nearly 300 of the exposed resumes listed the applicant as having a "Top Secret/Sensitive Compartmented Information" clearance.
According to UpGuard, a majority of the individuals whose information was compromised were military veterans, but hundreds of resumes belonged to law enforcement officers who had sought a job at TigerSwan, a company recently described by The Intercept as a "shadowy international mercenary and security firm."
Source: http://www.securityweek.com/details-us-top-secret-clearance-holders-leaked-online
(Score: 5, Insightful) by MrGuy on Wednesday September 06 2017, @04:36PM
The fundamental problem is that it takes only one person to slip up, just once, to expose information. The increased rise of more sophisticated hacking tools and the increased sophistication with which everything that is ever exposed online is indexed and searchable by people with bad intentions means the size of the slip-up required is increasingly getting smaller and smaller.
Target was compromised because of a vulnerability in their gorram vendor's climate control system, coupled with an admittedly poor decision to let the climate control system have access to the in-store network because, come on, why should I be afraid of the climate control system?
If you work in an environment where you deal with a lot of data that has to be secured (I've worked with clients that have HIPPA-impacted medical information), it's terrifying. You can build secure, audited systems to hold the data, with state-of-the-art controls on who can access which data. But then you have to worry about all the potential leakage out of that system. Did someone cut-and-paste a bunch of data into a spreadsheet that they shouldn't have? Did someone save some files for offline usage? Are all the machines on our network secure? All the hard drives encrypted? All physically secured? What about the network? Do you have any outside partner companies that can access any of this information? Are THEIR systems as secure as ours? For any machine that can possibly hold sensitive data, are those machines backed up? If so, are the backups secure? Do we use any third-party software or systems that we don't control? If anything is hosted offsite and/or in the cloud, how secure is it? Who configures the systems? How trained are they on secure setup? Could they ever slip up? Again, if vendors are involved, who should we trust them? Are our defenses in depth sufficient that compromise of one node on the system can't compromise sensitive data?
And all it takes is one slip up by the weakest link in the chain for all your careful planning and security to be for naught. A case I encountered was a company that partnered with a health care company. One of their employees had a laptop that could access sensitive data, and occasionally did. The laptop was well locked down. The sensitive data was deleted after it was used. But the user used a USB hard drive for backing up the machine, and they forgot to click the "encrypt the backups" box. And they had run a backup while the sensitive data was on the machine. Briefcase containing secure laptop and insecure backup drive went missing from an airport. Data compromised. Avoidable? Sure, in theory. But expecting something like this to NEVER happen in a large ecosystem is a tall ask. Because it only takes once.
I'm not saying that a company trusted with secret data shouldn't be expected to be really, really good at this. And that maybe they should have done more to investigate their vendor's security. They might have shown a lack of vigilance in choosing who to trust with their data. But it could also be the case that they're really, really careful, and despite assurances from the vendor, and reviews of the vendor's practices, in this case the vendor screwed up. Once.
It's easy to say "you should never be trusted again after any slip up." But you'll run out of potential partners really quickly.