IGI Cybersecurity Blog

Learning From the MGM Breach: How to be Cloud Smart

Written by Robert Wilson | Feb 27, 2020 8:10:07 PM

When it comes to storing data in the cloud, millions of Americans are receiving notifications of a compromise of their Personally Identifiable Information (PII) from an enterprise they trusted to store it. These notifications are required by laws across the U.S.—attempting to hold companies accountable.

The potentially devastating effects of a data breach of PII are known mostly to the victims and are typically a result of poor cloud security. Headlines are riddled with case after case about well-established companies—like the Capital One breach affecting 10 million customers, or the biggest incident of recent years affecting Mariott International and exposing around 339 million guest records. Others include Adobe, Sony, Target, Equifax, and now the recently-disclosed resorts and casino behemoth MGM International Breach, which exposed information of nearly 10.7 million hotel customers.

The MGM data dump on July 10, 2019 was repackaged and recently re-posted online amplifying the effects—stirring up the discussion on tech forums and potentially rekindling a new wave of scams; all typical of the dark web. The recent MGM data dump included names, emails, dates of birth, phone numbers, and addresses of former guests. Affected MGM customers should expect to see fraud attempts made again due to the refreshed post. MGM Resorts publicly acknowledged the breach and that they notified customers after ZDNet, a technology news website, published a report last week detailing the breach.

MGM is now being sued via a class-action lawsuit. The lawsuit and unwanted publicity could take several years to resolve, and it has put pressure on shares during a time when MGM is attempting to resolve its high-leverage and cash flow issues.

Hotels are an increasingly popular target for both cyber-criminals and nation state operatives. Hotel chains and travel companies have also been a major target for Chinese espionage, in particular, because they store VIP executives and government officials with security clearances. Among the guests effected in the MGM breach were Justin Bieber, Twitter CEO Jack Dorsey, and officials with the Department of Homeland Security and Transportation Security Administration, according to ZDNet.

Cloud security remains a significant challenge because shadow IT is proliferating rapidly. Adopting the cloud is trending quickly due to the processing power and agility required to be competitive in the innovative and fast-paced business landscape. As a result, nearly 33.4 billion records have been exposed over the last two years as thousands of companies move to cloud environments without the appropriate security in place, according to DivvyCloud research.

Another report, conducted by Crowd Research Partners, found that 62% of cybersecurity and IT professionals surveyed identified misconfiguration as the biggest threat to cloud security. A shared-responsibility model applies to the relationship between a customer and their cloud service provider (CSP). Secure installation and management of the underlying hardware and software infrastructure is the CSP’s obligation, but the secure configuration of consumed resources is the customer’s responsibility.

The familiar expression that "Life is 10% of what happens to you and 90% of how you react to it" certainly applies here as the victims are real people and real companies in the 10%. And although we may not be able to pick the perfect timing of these sorrowful events, we can choose to change times.

Forming a heterogeneous team of experts can benefit both the organization and its people. A diverse team will be better equipped to identify the organization’s requirements and business needs accurately and completely. In turn, the organization as a whole, through its people, will be more likely to understand the potential capabilities and power of the cloud.

Proactive cloud security is knowing the details of who is accessing cloud apps and data. Then companies can begin to assess the risks associated with various user activities and quickly spot anomalies. Real-time analytics on who is accessing sensitive and confidential assets and from where is necessary to prevent data exfiltration or access with automated policies. Additionally, full cloud visibility should incorporate a baseline understanding of normal, safe behavior. Behavioral analytics can provide prioritized alerts for anomalous activities, particularly for high-value targets like cloud administrators.

With the increasing adoption of DevOps practices, application developers are starting to write infrastructure as code (IaC) to automate deployments. Automation leads to consistency in configurations, but developers are new to cloud infrastructure and require proper guidance. Whether compliance with NIST 800-171, state and local laws, regulations or the application of cloud security best practices, integration of security assurance into Security Operations Center (SOC) allows the continuous governance process, from setting the security baseline to monitoring the actual status and tracking any issues through resolution. You can then implement continuous compliance assurance to know at any point in time its actual compliance status and risk exposure.

Whether it be Public, Private Cloud on PaaS, IaaS, SaaS—there is a need for people, processes and solutions because as you can see here, technology can also end up being the problem as everyone rushes toward it at once. As time goes by, one would hope that technology matures and, hopefully, we mature in our accountability for the systems which serve the people.

Be Cloud Smart instead of Cloud First; get smart about protecting our data in the cloud and contact IGI to set an appropriate roadmap to meet these goals (and save everyone from headaches and heartburn).