Mumsnet, has experienced a data leak. Users logging into their accounts were given access to other users’ details, with account information being “switched”. It appears this happened while Mumsnet was migrating services to the cloud.
Experts Comments below:
Stephen Gailey, Solutions Architect at Exabeam:
“The Mumsnet breach is not that shocking, at least to me. It is not the activity of malicious hackers trying to steal data; instead it seems to be the result of poor programming – again. And this particular problem is also nothing new. Banks and other online organisations have been experiencing just this problem for at almost two decades now; I think the first report of synchronous logins revealing the other users data that I can recall was in the early 2000s. What this underlines is that the root cause of most security breaches, whether they are malicious or accidental as in this case, tends to be poor software development processes or poor operational processes.
Organisations tend to look outwards to understand the threats they face, but perhaps they should look inwards at how they build and run Internet facing systems. The new rush to digitisation is likely to fill our press with reports like this one. The truth of the matter is the same as it has always been, the limiting factor for any organisation is the quality of the people it can hire and retain.”
Naaman Hart, Managed Services Solutions Engineer at Digital Guardian:
“It’s really pure speculation as to this incident happened, but it would likely have been caused by a mix up in the intermediary steps of the login process. Typically when logging in you validate yourself and you’re given an identity. That identity has access to your data. In a case where this process has a problem it’s possible that the identity you’re given is someone else’s. This can happen if the service already has an answer in mind, cached/remembered, and it serves up that answer instead of doing the legwork to find the real answer.
Moving to the cloud has nothing to do with this failure. It simply highlights that the company is going through a large IT project where complications can arise. That said, security is different in the cloud but typically it’s purely misconfiguration that leads to problems. There is also a lack of rigour applied to validation processes to ensure that companies truly know where their data is stored once in the cloud and how much control they actually have over it.
Every cloud service that interacts with that data is a potential for a leak and companies need to ensure they’re very well versed in who touches what and where it moves. A prime example comes from the very design of cloud hosted systems. By their very nature they are meant to be resilient. Resilient means they have copies of everything in case of failure. These copies can extend to your data and you can very easily find that your data exists in many places you didn’t think it did. Data sovereignty therefore needs to be taken seriously.
The best practices are to learn the benefits and pitfalls of moving to the cloud. Companies will likely gain some native security benefits from moving to newer technologies but they also gain the headache of learning the intricacies of these platforms. If they do not learn how to work well with them then they can find themselves making small misconfigurations that lead to big problems.”
Steve Armstrong, Regional Director, UK & Ireland at Bitglass:
“Indications are that this issue was fixed with a roll back. This likely suggests an underlying database configuration issue. It’s very unlikely to be a caching issue browser side – so this suggests a server-based issued. This in turn would speak to a misconfiguration either in the database platform or potentially, on the infrastructure the database was hosted. There are generally security models built into most platforms, but they only solve part of the problem – security in depth is always a better approach.
Moving to the cloud poses some new challenges to any organisation – being able to securely configure platforms requires a robust set of controls and processes to be in place. Outside of the human factor or testing before a release, it is important to have the appropriate technology controls in place. These controls should help reduce risk whilst enabling the business. When moving to the cloud it is important to first assess the risks and map those to the required controls.
If there is a gap in control versus risk an organisation typically has two approaches. The first approach is to update its risk register and accept there is some form of risk. Second, they can implement the controls through the use of technology designed to secure and monitor these environments. In the main these organisations have a risk versus reward balance to maintain – controls should be sufficient enough to mitigate the risk whilst not hindering business agility. The challenge of securing the cloud is ever changing; the pace at which platforms, service and infrastructure in the cloud changes makes risk a moving target that can be hard to 100% mitigate.”
Carl Leonard, Principal Security Analyst at Forcepoint:
“Whilst the size of this data breach may seem small in comparison to other recent incidents, the real impact will be on Mumsnet’s reputation and ultimately user trust. Even one user seeing another user’s personal information is a breach of privacy, and it will be interesting to see how the ICO’s response sets the tone going forward.
Users are only becoming more savvy about the value of their personal data and who they’re entrusting to protect it. Mumsnet have suffered similar incidents before and in this case acted quickly to rectify the situation, but more must be done to in future ensure that data remains protected before it’s too late.”
Dan Pitman, Principal Security Architect at Alert Logic:
“Session Management is a key part of the OWASP Top 10 web application vulnerability list. The list says “Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.”
When users log into a website they are given some kind of unique reference on the server and possible on their local computer that identifies them for the duration of their browsing session on that site. In this case, it is most likely that a bug in bespoke software or a vulnerability from a third party component was introduced that caused people to receive someone else’s session management unique ID and the server proceeded to serve up the other individual’s data based on that.
This issue correlates with moving to the cloud but is most likely not caused by it. Their statement reads “a software change, as part of moving our services to the cloud” – the issue here is an application (software) change, most likely in how they are managing user sessions in the application as above.
Moving to the cloud is often seen as an opportunity for transformation, in the application itself, release management and other areas – doing this these things should not be attempted in one go unless absolutely required (e.g. the application will not run in a virtualised environment) – when it is required, there should be awareness that multiple areas of transformation increase the quality assurance by significant factors.
When moving to the cloud, organisations should get specialist advice. If they do not have in-house expertise, they should employ a third party who has experience and do not depend on individuals. Migration from one place to another is always prone to failure in some areas, so minimise changes into phases and make sure that security is a top priority.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“Every change to an organisation’s infrastructure is a delicate process that needs to be planned out and carefully executed. While – depending on the cloud service model – the responsibility of maintaining the security ‘of the cloud’ is entrusted to the cloud service provider, while the security of the data ‘in the cloud’ is still the responsibility of the customer, and so is the security and effectiveness of the migration process. It makes sense for a glitch like the one experienced by Mumsnet to have happened as a consequence of a misconfiguration during the migration process, but thankfully, the breach was contained and swiftly reported.”
“The most common reason for a failure in the cloud migration process is poor planning. Organisations need to be able to allocate the necessary resources into the migration process. This could be having increased personnel, training for existing staff and taking experts’ advice on realistic budget and execution time.”
“The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources. Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organisations should also ensure that they have well trained and skilled personnel on the task.”
“The best way for organisations to maintain security when moving to the cloud is to have in place foundational controls, that monitor file integrity, configuration management, asset discovery, vulnerability management, and log collection. The majority of cloud breaches, however, can be traced back to misconfiguration and mismanagement of cloud-native controls, therefore it is careful planning and preparation that will ultimately protect businesses during the migration to a cloud environment.”
Todd Petereson, IAM Evangelist at One Identity:
“Just like any technology move, most moves to the cloud are driven by the desire to achieve certain functionality, not security. Consequently security is usually an afterthought and retrofitted on the cloud application, and not as a core tenant of the adoption. If you were adding something to the on-pram enterprise, you would go through a thorough review and testing to make sure it met your needs and was secure. Because the cloud is so easy to adopt (you just subscribe and go) the tendency is to avoid the important security review step.
The best practices for maintaining security when moving to the cloud are to treat all of your cloud infrastructure just like you treat your on-prem stuff. Strive to have consistent policies across both. Put as much rigor into your security approach to the cloud as you do to your on-prem stuff. Plan for the worst and act accordingly.