Wait what? Need the Dark Web? What are you talking about? The truth is so much information about you is already available in all the places where it’s supposed to be secure. Imagine for a second that your personal information only existed in the Dark Web.  Ironically, it might really be less accessible – well to the rightful owners, anyway.  No one said the world was perfect.

Let’s simply accept the fact that all our personal information is in the hands of organizations using it for “legitimate” business purposes.  You know, all those people we don’t know, haven’t met, haven’t authorized to acquire and use our data.  Yet we have no idea about nor any input into how our data is stored, protected, redacted, used, moved, hacked, stolen, etc. You know, kinda’ like the Dark Web. Except, it’s not the Dark Web, we’re talking about legitimate businesses here, doing legitimate business things.  Are you getting my point here?

Recently, my colleague Shawn Allaway, wrote an epic piece called “Apathy: Cybersecurity’s Biggest Hurdle”  in which he cites multiple examples of the largest data breaches in our time and the responses to these breaches, overall, were ho-hum. That’s not to say folks didn’t get in trouble, they did, but there seems to be a level of acceptance about the lack of data protection among the populace that belies the unbelievable danger that this problem presents to society.

“We have been conditioned not to care.  We’ve become apathetic in many ways. Mainly, because we feel no significant immediate impact, financial or otherwise, as a population.  Other than the obligatory email from said breached entity to promptly change your password or receiving a new debit card from your local bank “out of an abundance of caution” (my personal favorite line), we really are not impacted.  At least, that’s what how we have been made to feel.”

What Shawn has captured here is an interesting take on a troubling issue: The cost of doing nothing is still less than doing anything.  A key example of this is the recent Exactis breach. Did you hear about this? Probably not, but it was mentioned in an article in Wired.  Well, let’s wade into this one a bit, shall we?

Key points:

Who: Exactis – a Data Broker in Palm Coast, Florida.

What:  Massive Quantity of Personal User Information Exposed to the public internet – 2 Terabytes or approximately 340 Million individual user records (Phone Numbers, Home Addresses, Email Addresses and other unspecified highly personal characteristics for every name)

How: Elasticsearch – A Massively scalable indexer for large volume data storage and retrieval, connected to a public address with no restrictions.

OK, so at this point, you might be thinking, “Huh? What does this mean? Does this mean what I think?” Let me put this into context – A quote from this Wired article should set the table nicely:

“It seems like this is a database with pretty much every US citizen in it,” says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he’s searched for in the database, he’s found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen,” he says.

So, like it or not, you, your family and everyone you know, are quite probably in this database and that information is probably in the wrong hands at this point.

Sorry to report, that for all you end-users out there, this write-up offers little assurances of how to improve your personal data security. On the other hand, for those of you who are in the business of dealing with data, keep reading.

Do you recognize the name of the platform that hosted Exactis’ data, Elasticsearch? You should, it is a name that everyone in the data business should know. Even if you don’t, the purpose of any such platform is to provide very high-performance access to huge volumes of data, so you’re probably using something like this somewhere. One would hope organizations would be painfully aware of the need for security when consolidating data in this way, right? If Exactis is any example, then maybe the answer is no.

In my opinion, there are three pervasive attitudes on security that create so many problems:

  • The perception that “security just gets in the way of my access to the data. Why can’t we just disable it until I’m done, and turn it back on when I’ve got what I needed?”
  • The presumption that “our data must be secure, why else would I be able to access it?”
  • The feeling that “security is someone else’s responsibility, so why should I worry about that?”

See that? No ownership. Have you ever said or thought this yourself? Chances are, unless you’re in the security role at your organization, the odds are good that you carry one of these attitudes. Hey, no judgement here, you’re most likely in a situation where security isn’t your focus, but leveraging data is.  Then again, as your organizations most valuable asset, should you not be asking about the security provided around data? If data came in the form of gold bars, would you question how secure is the location where that stuff is stored? Of course, you would.  If the folks consuming the data at Exactis had asked some simple questions about why there was virtually no security in play when accessing that data, maybe they’d have had a different outcome.

In any event, for your security minded-folks out there, let’s take a look at what can be done, specifically to secure Elasticsearch. Keep in mind that every such platform can be secured, one way or another. The options for Elasticsearch are so simple and, in many ways built-in, in such a way that there’s hardly an excuse for inaction.

As in most cases, you can’t really blame the technology here. Elasticsearch is not secure out of the box, if you want it to be.  The standard installation instructions talk about the need for end to end encrypted traffic with pre-shared key certificates and such, but you don’t need to implement that to make it work. That’s only addressing part of the security situation here, but it helps if you use those features. Next, Elasticsearch can have an add-on, installed and configured, called X-Pack. This add-on is created by Elastic, the same organization that makes Elasticsearch, so the stuff was made to work together. X-Pack provides a wide-breadth of features including alerting, monitoring, reporting, machine learning and, finally, security. X-Pack provides many aspects to safeguard the data stored in Elasticsearch, including:

  • Authentication
  • Authorization
  • Encryption
  • Layered security
  • Audit logging

Configuring X-Pack is not complicated—the benefits far outweigh the potential disastrous consequences.  If you’re currently using Elasticsearch and you don’t have the X-Pack add-on configured, at least, so that you must authenticate to get to the data, I strongly suggest you ask your security team to closely review X-Pack’s features. These are table stakes for data security.

The moral of this story is: be mindful that you need to protect the data, even if you don’t know what that means. Just ask.

Don’t be the next Exactis, and if you want to learn more, drop me an email and I’ll show you a quick demo of X-Pack on Elasticsearch in action.

Happy to help!
Ben Thurston