Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Call it a breach, call it a leak, call it whatever—when it comes to third-party vendors and services, misconfiguration presents challenges.
A recent report from Aaron Costello, chief of SaaS security research at AppOmni, revealed that millions of records were left open to the internet through an API misconfiguration of Microsoft Power Pages. Companies and organizations use the SaaS platform to easily work within Microsoft’s systems to build websites.
The data exposures Costello found “are occurring due to a misunderstanding of access controls within Power Pages, and insecure custom code implementations,” he wrote.
Public health. Costello detailed how that misunderstanding led to the leak of millions of records from the UK National Health Service in an interview with IT Brew.
“Over 1.1 million individuals’ private data was exposed,” Costello said. “That includes email addresses, phone numbers, and, in many cases, their home addresses as well.”
Costello added that he hadn’t seen any evidence that the leak was exploited by threat actors or other hostile figures. The central concern, he said, is that vendors and SaaS providers aren’t always on top of making sure that their products are configured correctly. In this case, Microsoft did provide that guidance—but that doesn’t necessarily translate to people taking it to heart.
“It’s very, very easy to just take the quickest route to getting the site up and running and not employing security best practices, and that may have happened here,” he said.
Widening issue. As IT Brew has reported, the expanded threat surface from SaaS and third-party vendors is of increasing concern as cyberattacks—particularly ransomware—ramp up. The increased risk from SaaS applications is real, Kerri Shafer-Page, VP of Arctic Wolf’s digital forensics incident response team, told IT Brew in July after the CDK Global dealership breach in June.
“If you introduce multiple different managed service providers…to conduct your business, there’s more risk involved in that, versus some groups that like CDK that claim to have a SaaS platform that can do multiple different things,” Shafer-Page said.
For Costello, who follows the threats carefully, SaaS breaches are likely to increase. And Microsoft will likely remain a target, whether it’s the Midnight Blizzard attack in January or this latest misconfiguration.
“The industry, as a result of research like mine, and also attacks happening in the wild like Midnight Blizzard, it's just shone a light on a need for SaaS security,” Costello said.