Today, I wanted to discuss the most pressing problems which MongoDB based applications are suffering with. Worldwide the attacks on MongoDB including taking the database for hostage grew multi-fold in 2017 only. By some analysis, within one week of January 2017, these incidents grew to 28000.
As most of you – developer community in big data and other NoSQL applications – know that MongoDB is one of most scalable, high performance NoSQL database available as open source. Easy integration and vast number of supporting utilities and document store type database with JSON structure formats, makes it particularly popular with big data enthusiasts and serious system developers. According to DB Engine’s Rankings, MongoDB is 5th most used and deployed document store style database in the world as of May 2017. It is available as open source and supported enterprise versions. The enterprise version includes multiple security features.
Security professionals on Twitter, LinkedIn and many other security bloggers have been talking about this issue from various perspectives. Some of them including Ericka Chickowski have pointed out common lapses of security in the ransomed deployments. In my opinion, below are major reasons:
- Deployments without administrative passwords and authentication
- Exposing DBs directly on internet, or a lack of tiered app architecture
- Flat network architecture on cloud deployments
- No network access control for databases
- No firewall rules for port blocking or restricting access on standard MongoDB ports (e.g. TCP 27017)
- No application segmentation or security deployments
- Misconfiguration in MongoDB security layers
- Persistent attacks by hackers and scanners
Being in the business of application security and cloud migration, I can tell you for sure that if you are a small or medium business with application and database workloads on public cloud, solutions for #2 to #6 virtually do not exist. Unfortunately, there are two main reasons to it – Complexity and Cost.
If your MongoDB applications are backbones of your enterprise business, they require security, segmentation and compliance. Business continuity and uptime are important parameters of business success. Solving Complexity and Cost of protecting database deployments in data center and cloud environments would certainly resolve the core issue.
I am sharing some security details of our own MongoDB deployments on public cloud. MongoDB is not the latest version and not enterprise version either. Name of the cloud vendor is not important here because all of them suffer with the same syndrome of shared security responsibilities. I wish it was easy. Deployment includes number of instances of MongoDB in shard and stand-alone modes. There are some workloads with MySQL as well. All of the deployments are running on Ubuntu 14.x, Red Hat Linux 7 and used standard TCP 27017, 27019 ports. Servers were relatively less busy since we were transitioning some clients. All the MongoDB, MongoS and client instances were Avocado Security Platform protected via multiple pico-segments.
Starting January 2017 till now, the deployment has been under persistent attacks (mostly penetration and scanning). Avocado Security Platform enabled MongoDB and MySQL has intercepted all the attacks and reported the details of the source of attacks.
We plan to provide details of the deployment configuration, methods of attacks captured and some details of the sources during our presentations in MongoDB World 2017 being held at Chicago. Please note the dates; June 20-21, 2017. Our marketing team is also planning to conduct live demos of attacks on our own deployments in order to educate application developers who use MongoDB about the security and compliance of the applications on cloud. You can find some more research material on https://avocadosys.com/white-papers/ and https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
I hope it was useful to all MongoDB professionals and enthusiasts. For further details, please leave the comments or feedback.