Companies warned on big data security

A large number of businesses may be inadvertently exposing sensitive company or customer data to the public as they have not adequately secured their big data analytics operations.

This is according to cyber security firm Binaryedge, which stated in a recent blog it had uncovered more than one petabyte (one thousand terabytes) of data available on the open internet for anyone with the skills and knowledge to find it.

The company examined four popular big data technologies  – MongoDB, Redis, Memcached and ElasticSearch – and found there were several common configuration errors and oversights that may leave valuable data vulnerable.

"Companies are still figuring out how to use these technologies and by default they are not secure," the organisation said, noting: "Default settings tend to have no configuration for authentication, encryption, authorisation or any other type of security controls that we take for granted."

In some cases, even basic access controls are not built-in as standard and will have to be configured by the IT department.

Businesses of all sizes are failing to meet their responsibilities when it comes to securing their big data assets. Binaryedge's study found mis-configured installations at companies ranging from small businesses to global top 500 enterprises.

When examining MongoDB, for instance, the company found 39,134 server instances around the world that answered its requests without requiring any form of authentication. These databases, which commonly had names such as 'local' and admin', contained 618 terabytes of information – though Binaryedge's probes did not collect any details on what this included.

The security firm may not be the only actor aware of the weakness, as it uncovered 347 cases where a MongoDB database had been named "DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB" by an unknown individual.

Other problems Binaryedge found included frequent use of old versions of key technologies that businesses have failed to update. In these cases, it may be the case that not only data, but even servers can be compromised.