Why The Uber Hack May Have Been A Ticking Time Bomb
Even in these days of rapid innovation and heightened security awareness, there’s little that can stop human mistakes from leading to disastrous consequences for businesses. This is especially true when we rely on manual processes and practices in developing complex applications. Fortunately this is also a time of smart, scalable automation, and we now have the tools we need to stop these disasters in their tracks.
Last week, we heard about a hack at Uber that made headlines as much for Uber's belated public acknowledgment as for the actual hack. Database credentials were stored in plaintext in a cloud-based source code repository. Bad actors found and used those credentials to steal the private data of millions of Uber customers. While this happened about a year ago, Uber attempted to keep it quiet. The details have only recently surfaced.
Poor timing aside, what interests those in the domain of cloud security is that — at what is widely regarded as one of the top technology companies in the world — some developers carelessly committed plaintext passwords into a GitHub repo, and the consequences were very real and very bad. And this news comes on the heels of both a massive hack at Equifax, which was the result of an unpatched open source component, and a major leak of U.S. military data from misconfigured Amazon Web Services S3 buckets. All of these exposures stemmed from human mistakes.
Effective secrets management heavily relies on human awareness and motivation to do things the right way — the discipline to follow best practices. While there are various utilities that can help prevent developers from storing plaintext secrets in code repos, they still have to use those utilities. It comes down to process discipline. The system is as weak as the person who does tasks wrong or skips a step. A similar situation arises with patching open source components, which typically have aggressive development cycles and require constant diligence and maintenance.
An emerging area of concern is cloud infrastructure configuration. Among the promises of the cloud is the ease with which anyone can spin up powerful computing infrastructure and manage those resources as code. The ready availability of cloud application programming interfaces (APIs) also introduces tremendous potential risk. It’s trivially easy for humans to misconfigure an important setting, such as encryption for a data store or ingress ports in a security group, rendering an application exposed to bad actors or out of compliance with corporate or regulatory policies. Properly configuring the S3 buckets would have prevented the leak in the case of the military hack.
Few organizations are immune to these potential missteps, staffed as they are by humans. Parts of any company’s software projects are routinely slipping through the manual inspection gaps and violating some known good practice or formal policy. There are projects where secrets are being mishandled, or open source component exploits remain unfixed, or misconfigured infrastructure leaves an application vulnerable or out of compliance. These mistakes are time bombs, ticking quietly away until the day when they do finally explode, shattering client and consumer trust. Then, it's too late.
We humans are complicated beings. We’re constantly negotiating with ourselves about our goals and how to achieve them. We’re busy and often distracted by the events happening in our lives, and we’re usually more than willing to take shortcuts if it means we can cross items off our to-do lists or reach some goal more quickly.
We’re also limited beings. We can only hold so much information in our brains, and when it comes to complex distributed systems, it's hard for any individual person to have a complete understanding of the whole and all its parts. It’s very easy to miss details and forget things, despite cognitive biases that have us thinking we’re quite on top of it. We make mistakes without even knowing they are mistakes.
But don’t panic. This is a message of hope! Robust security automation is possible throughout the cloud-based application stack and delivery workflow. Computers can do it for us. From code analysis and open source component scanners to infrastructure governance and endpoint protection, organizations can adopt automated approaches to security and compliance that ensure rules are being followed, exploits avoided and breaches stopped before they happen.
Automating security and compliance means we can continue to deliver innovation at the speed modern business demands while staying protected from our own messy human flaws. Computers can foresee and correct for error much better than we can. Automation means that the time bombs of carelessness, ignorance or simple misconfiguration can be uncovered and defused, and we can move fast with confidence for the sake of our users and for the success of our businesses.
Josh Stella is the co-founder and CEO of cloud management company Fugue.
© Copyright IBTimes 2024. All rights reserved.
-
Eiffel Tower Loses Sparkle For Parisians Ahead Of Olympics
-
Former Number One Momota Retires From International Badminton At 29
-
Why Insurance Prices Have Skyrocketed
-
World Bank Aiming To Connect 250 Mn Africans To Energy Grid By 2030
-
IMF Says Global Debt Levels Face 'Great Election Year' Risk
-
Divisions Among Colombia's FARC Dissidents Complicate Peace Talks
-
French Far Right Gets Youthful Vibe With 28-year-old Leader
-
US Fed's Powell Says Inflation Fight May Take 'Longer Than Expected'
-
Mideast-related Oil Price Spike Threatens 'Relatively Good' Economic Outlook: IMF Chief Economist
-
Wine Growers 'On Tip Of Africa' Race To Adapt To Climate Change
