Microsoft Customer Service Records Exposed via Misconfigured Servers
Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. All five servers stored the same information.
One aspect of the story here is that if a company as skilled as Microsoft is making catastrophic configuration errors in setting up cloud and open source applications, how badly configured are those applications when used by less sophisticated organizations?
If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so. We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision.
William Hugh Murray
OWASP A6 "Security Misconfigurations" is really getting a lot of action with admin misconfigurations of cloud services and open source software in particular. The telling quote in the Microsoft Response Center blog post: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database." Why not, and where else has this happened are the key questions: were the controls simply policy statements (This should be done) vs. gates (Database does not go production unless this has been done.)?
Security misconfiguration of cloud services has become a recurring theme. While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed. Rapid deployment of solutions needs to include independent verification of the security settings prior to production release. When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.
Read more in
Comparitech: Report: 250 million Microsoft customer service and support records exposed on the web