Facebook-f Linkedin

Misconfigured cloud security exposes highly sensitive data

Issue

An organization named ABC*, ran its client’s web application support business on AWS cloud. They accidently misconfigured the security features of  new cloud buckets purchased by them, leaving their entire customer’s sensitive information contents at risk. This incident came to light while performing vulnerability assessment and penetration testing of the organization’s cloud infrastructure.

The main business of this organization was building web applications as per the request of the client hosted on AWS cloud, managing its operations troubleshooting and deliver continuous improvement to their developed web applications based on the requirement of the clients. Also, their IT administrator thought that the AWS cloud is best and safe to store sensitive database of their increasing client base as it requires login access. 

This organization used to periodically buy cloud storage buckets from AWS as per ever increasing requirements of the organization’s business. As an ongoing business working part, the IT Team of this organization purchased two AWS buckets to store backup details of organization’s customers documentations and rescue passwords. 

However, the IT administrator forgot to make public AWS bucket private which is Public at default when initially purchased by the organization. Also, he forgot to restrict the bucket access using Cloud- Identity-and-Access-Management (Cloud-IAM) permissions. This vulnerability could let any user across entire internal as well as external organization’s network, access the organization’s entire customer’s sensitive data bucket information in spite of cloud login security access.   

If this vulnerability would have been found by external malicious attacker, he would not only have caused damage to the organization’s business goodwill, but also could have launched critical secondary attacks on this organization’s clients. Thus, this malicious attacker act could have exposed organization’s business sensitive information secret API data, authentication credentials, certificates, decryption keys and confidential data linked with customer information. 

Hence, this issue proves the importance of periodically conducting Vulnerability Assessment and Penetration Testing (VAPT) activity by an organization. Shashwat Solutions conducted VAPT on this organization’s cloud and information systems assets as a part of ISO27001 compliance and system audit as requested by this organization’s director. This activity helps the organization to timely protect its information systems from possible zero day attack, assess and patch their information systems vulnerability after exploiting it if permissible and enhance the organization’s security infrastructure.

Investigation

As a part of security policy compliance, the above ABC organization’s VAPT and system audit was conducted by Shashwat Solutions upon the organization’s director and management approval. 

The primary investigation step taken by Shashwat Solutions was revival of policies signed by the organization with the cloud provider since the organization was using public cloud services. In this process, we followed the recommended process provided by the cloud provider Amazon. Also, as a part of this process, we identified the agreeable items to be covered under the pen-testing plan with the organization’s application admin team. Additionally, we selected the required pen testing tools to identify misconfigurations and flaws in this organization’s AWS cloud and buckets.   

We conducted a range of AWS pen testing specific tests such as EC2 instance and application exploitation, testing AWS IAM keys vulnerability including S3 bucket configuration and permissions flaws. During this process, we discovered that two AWS buckets purchased recently by the organization’s IT team were misconfigured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. The buckets titled “clientele-docs” and “clientele-rescue_ssl” revealed significant highly sensitive internal information of the organization’s clients which were maintained by account named “abcitmang001” a possible indication of the buckets’ origin.

We found significant sensitive data in the above misconfigured cloud. In one of them, the “clientele-docs” AWS bucket  displayed a large amount of database that included sensitive records of organization’s clients, whereas in the “clientele-rescue_ssl” bucket, there was folder named client.aws.abc.com. This folder included “Cloud_File_Store_Rescue_Key”, where several private keys, as well as certificates to decrypt traffic between the above organization and its clients.      

Further it was found during VAPT that the above credentials related to rescue request was linked with the organization’s access to Google cloud server client’s shared data. This vulnerability could give an attacker a chance to compromise the organization’s client’s cloud assets and their network. 

Thus, this VAPT activity helped Shashwat Solutions to identify the security flaw in the organization’s AWS Bucket and its network. Shashwat Solutions further guided the organization’s IT manager in patching this vulnerability urgently to protect the organization’s cloud assets and its network from malicious actor’s attacks.

Analysis

After conducting VAPT of the organization’s AWS cloud environment and it’s information systems, Shashwat Solutions documented report of findings and provided with remediation recommendations to the organization. The report enumerated the risk findings in the organization’s AWS environment including the organization’s network. In one of those risks, we highlighted the above incidence as potential severe high risk which has more likelihood of an exploit from bad actor having greater potential impact on the organization. 

Also, we performed a surprise retest verify remediation before the closure of VAPT project of the organization as critical finding was discovered by us. We professionally consulted the organization’s IT manager and suggested him to stay vigilant and check the organization’s new cloud bucket configurations from time to time. We recommended him possible best practice of setting up a regular schedule to check for inappropriate permissions in cloud apart from scanning network. Also, we directed him in ways of securing his organization’s sensitive information.

Additionally, this organization’s IT manager quietly secured the servers the very moment this incidence came to light. It subsequently shows due to slight carelessness of the IT manager, it could have costed this organization dearly exposing organization’s crucial data and posing serious risk consequences. 

Finally, this cloud leak incidence shows that even the most advanced and secure enterprises can expose sensitive data posing serious risk consequences. It could have led to serious and disastrous consequences such as loss of organization’s goodwill, compromise client’s business environments and heavy amount of financial damage across the entire organization’s business partners.

Thus, this VAPT activity conducted for this organization helped them to secure their data against exposures of the above type of incidence.

Client Testimonials

Know  what our customers have to say about us.

With great appreciation I thank to Shashwat Solution for their enormous efforts in co-operative sector. They have very good skill in maintain good relations through their work with each and every client. May God flourish them more and wish for their ‘Shashwat Existence’ in banking and Industry.
Mr. Mukund Sawaji Kalmakar
Mr. Mukund Sawaji KalmakarChairman Sundarlal Sawji Urban Co-Op Bank Ltd., Jintur President, Maharashtra Co-operative Banks Associations. LTD
For a long time we have been working with Shashwat Solutions. We had a great experience while working with Mr. Ajay Nikumb. He is very knowledgeable, and his readiness to help us during discussions about the system audit and Networking security has always benefited us while doing business and providing uninterrupted service to our customers in a secured service network. We appreciate his commendable knowledge in System audit, IS Network and security.
Dr. Shantilal Singi
Dr. Shantilal SingiChairman Vardhaman Nagari Sahakari Patsanstha M. Aurangabad, Maharashtra
On behalf of Management & all the employees of Pune People's Co-Op Bank Ltd., Pune, I request you to accept the appreciation for the excellent job performed consistently by you and your staff during past several months. In conducting System Audit, VAPT, and Data Migration Audit etc., though it was an enormous task you managed to perform it smoothly and efficiently! During the all assignments, I personally appreciate the professional approach, practical training on cyber security, time management, personal involvement, guidance about Do & Don'ts. I feel that Mr.Ajay Nikumbh & team had proved to be best friend, philosopher & guide for the bank. Thanks to your leadership and dedication. Due to your staff's teamwork and energy, we are enjoying smoothness in systems & procedures. You and your employees really deserves a big appreciation. I personally would like to thank you and your staff which is little difficult in present situation but I will request you to convey my gratitude and regards to all the employees of Shashwat Solutions.
Mr. Dixit Sadanand Vishnu
Mr. Dixit Sadanand Vishnugeneral manager, pune people's co-op bank ltd, PUNE
We have had the pleasure of working with Shashwat Solutions Pune and even more amazing person Mr Ajay Nikumb. He is everything, His thoughtful and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has made all of our transaction seamless. I am working with Walchandnagar Industries Limited. since 2008, Designed / implement the following solutions with M/S Shashwat Solutions 1) Networking 2) MS Exchange 3) Firewalls 4) WAN Security 5) End Point Security 6) Backup solutions
Mr. Ravi Tonapi
Mr. Ravi Tonapi GM IT - Walchand Industries Pune
जान है तो जहान है ' या उक्तीप्रमाणे बँकिंग क्षेत्रातील सायबर सुरक्षेचे पालन करून बँकिंग उद्योगासमोर येणाऱ्या नित्य धोक्यांना यशस्वीपणे सामोरे जायचे असेल तर नावाप्रमाणे शाश्‍वत असे सोलुशन देणाऱ्या श्री अजय निकुंभ सर यांचे आभार शाष्वत सोल्युशन पुणे म्हणजे,सहकारी बॅंका व पतसंस्था यासाठी माहिती सुरक्षेचे चालते बोलते विद्यापीठ आहे.
Mr Shirish Ghanekar
Mr Shirish GhanekarIt Head, Dapoli Urban Bank, Dapoli
We have been working with Shaswat Solutions since long time and its pleasure to work with them. Mr. Ajay Nikumb from Shaswat Solutions is amazing and knowledgeable person. He is everything, His attentive and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has given us solution in each and every area of I S Network, Audit and Security.
Mrs.Sujata Budhkar
Mrs.Sujata BudhkarGM IT -Sahyadri Industries Ltd. Pune
It is my pleasure to share my thoughts on M/S Shashawat Solution & their partner Mr.Ajay Nikumb ever smiling personality We have had the pleasure of discussing our requirement with Shashwat Solutions Pune Mr.Nikumb carrying and understanding nature that sets him above the rest. His ability to listen and understand our needs coupled with his incredible intuition has made all of our transaction seamless. I wish all the best to Shashwat & Mr.Ajay in particular.& getting many more laurels.
Mr.Vijay Laghate
Mr.Vijay LaghateAddl.Director (Purchase & Sourcing) Serum Institute Of India Ltd. Pune
Since 2012 we are working with Shashwat solutions pune. Whenever it comes to excellent services we can completely trust and depend on Mr. Ajay Nikumb and his team.If there is any problem regarding firewall, they will clear it off without disturbing our banks daily work routine Mr. Ajay Nikumb is truly a reliable gentleman . He has a very good listening skill, He first listens an then is ready with a solution over it. I am the Assistant general Manager (Data Centre In Charge) of Jalgaon Janata Sahkari Bank Ltd Jalgaon I am truly satisfied with the services provided by shashwat solutions at present they are providing us with firewall services
Mr. Rajesh Mahajan
Mr. Rajesh MahajanAssistant general Manager (Data Centre In Charge) of Jalgaon Janata Sahkari Bank Ltd Jalgaon
We have been working with Shashwat Solutions for almost past 15 years. We have been always impressed with their friendly but professional approach. Mr. Ajay Nikumb has always helped us in satisfying our requirements, with a Smile. We wish them a great success ahead.
Mr. Danny Nagdev
Mr. Danny NagdevGeneral Manager (IRD), Sr. Program Coordinator (IT-IDMP)
Previous
Next

Our Clients

Shashwat-Clients_0022_Walchand-Ind-Logo.jpg
Shashwat-Clients_0000_Vardhaman-bank-logo.jpg
Shashwat-Clients_0001_Tulja-bhavani-Bank-logo.jpg
Shashwat-Clients_0002_SynthesysLOGO.jpg
Shashwat-Clients_0003_Sundarlala-Sawaji-logo.jpg
Shashwat-Clients_0004_Sangali-Urban-Bank-logo.jpg
Shashwat-Clients_0005_Sahyadri-Logo.jpg
Shashwat-Clients_0007_Raigad-Dist.-CC-Bank-logo.jpg
Shashwat-Clients_0008_Pune-Peoples-logo.jpg
Shashwat-Clients_0009_Neeti-Solutions-logo.jpg
Shashwat-Clients_0010_Nagpur-Nagri-Sahakari-Bank-logo.jpg
Shashwat-Clients_0011_MKCL-logo.jpg
Shashwat-Clients_0012_Mestech-Pune-logo.jpg
Shashwat-Clients_0013_jjsbl_logo.jpg
Shashwat-Clients_0014_Ira-System-logo.jpg
Shashwat-Clients_0015_Hasti-Logo.jpg
Shashwat-Clients_0017_Deendayal-Bank-logo.jpg
Shashwat-Clients_0019_Bharat-Electronics-logo.jpg
Shashwat-Clients_0020_BAIf-logo.jpg
Shashwat-Clients_0021_Ace-Bank-Servers-logo.jpg
Shashwat Clients_0016_Expert Global logo
Shashwat Clients_0018_Cummins Engg College Logo
Previous
Next

Why Shashwat Solutions: Proven solutions that deliver value

Trusted

Trusted for over 20 years to provide faster and more accurate diagnosis of security issues. We understand that it’s not what we say, it’s what we find that matters.

Clear Independence

Shashwat Solutions IT has no constricting ties and no conflicts of interest. We are dedicated and responsive to our clients, allowing Shashwat Solutions IT to make recommendations that are aligned with your risk tolerance.

Cost Effective Recommendations

Shashwat Solutions IT’s proprietary services provide a thorough 360 degree review of your risks. Our recommendations provide a clear description of risks found and as well as cost effective steps to secure your systems.

Experienced

We know your industry. Shashwat Solutions IT has over 10 years of security audit experience in every type of industry from small public firms to large government agencies.

Highest Calibre Audit Team

Shashwat Solutions IT answers to global certifying bodies so you can be assured that all audits and recommendations are made under the highest level of quality, reliability, and thoroughness.