While most organisations list cloud security as one of their top IT priorities, they continue to ignore basic security hygiene when it comes to data in the cloud, according to Orca’s latest public cloud security report. The report revealed that 36 per cent of organisations have unencrypted sensitive data such as company secrets and personally identifiable information in their cloud assets.
The global pandemic accelerated the shift to cloud computing, as the sudden and massive move to remote work forced companies to provide employees with access to business systems from anywhere.
Gartner predicts that worldwide spending on public cloud computing services will rise 20.4 per cent to a total of $494.7 billion this year and expects it to reach nearly $600 billion in 2023.
In the rush to move IT resources to the cloud, organisations struggle to keep up with ever-expanding cloud attack surfaces and increasing multicloud complexity. The current shortage of skilled cyber security staff is further worsening the situation, the Orca report noted.
The risk in the cloud is not greater than in an on-premises environment. Rather, it is different, said Avi Shua, Orca Security's CEO and co-founder.
“In an on-premise environment, organisations have more control over their infrastructure," Shua said. "However, this is not necessarily good. Cloud service providers often have far more dedicated resources to ensure the security of the infrastructure than many organisations do.
"Under the shared responsibility model, organisations are still responsible for the applications and services they run in the cloud, with similar risks to on-premise environments. What makes cloud security different is the cultural change — everything is going much faster than on-premises, and there are many more managed services, which pose different security threats versus an on-premise world."
It's getting tough to patch all vulnerabilities
It is difficult for organisations to keep up with the number of vulnerabilities being discovered each day. Many fall behind on patching newly discovered vulnerabilities, but some are also not addressing vulnerabilities that have been around for a long time.
Many organisations still have vulnerabilities that were disclosed more than 10 years ago, the report revealed. Severe vulnerabilities need to be addressed as quickly as possible as these account for 78 per cent of initial attack vectors, the report said.
“The reason why some organisations still have these old vulnerabilities is because they often have outdated applications that don’t support updated operating systems, so they cannot be patched easily,” Shua said.
Shua recommends that if this is the case, organisations must try to segment these systems from other assets to prevent any exposure to the rest of the environment.
“Another reason is that sometimes team responsibilities are unclear and issues are not properly assigned, leaving vulnerabilities to remain unpatched for long periods of time,” Shua added.
She says it is however important to understand that it is close to impossible to fix all vulnerabilities, and therefore it is essential for teams to remediate strategically by knowing which vulnerabilities pose the greatest danger to a company's most sensitive and valuable information — what she calls a company’s crown jewels.
Log4Shell remains problematic
In December 2021, a serious zero-day vulnerability in Apache Log4j, was discovered. The vulnerability was easy to exploit, allowed unauthenticated remote code execution, and was dubbed "Log4Shell."
There was no immediate patch available when the vulnerability was originally published. Open source developers hastily released several patches, which in turn introduced new vulnerabilities, until the issue was finally resolved after the fourth patch.
However, organisations still suffer the aftermath of the vulnerability, the report said. Almost five per cent of workload assets still have at least one of the Log4j vulnerabilities, of which 10.5 per cent are internet-facing.
Thirty per cent of the Log4j vulnerabilities discovered between December 2021 and January 2022 remain unresolved, of which 6.2 per cent potentially expose personally identifiable information.
There are also still quite a few Log4j vulnerabilities found oncontainers and container images. Images are particularly problematic since these vulnerabilities will be reproduced each time the image is used, the report noted.
Neglected assets act as front door for attackers
Neglected assets often act as a front door for attackers to break in. A neglected asset is a cloud asset that uses an unsupported operating system such as CentOS 6, Linux 32-bit, or Windows Server 2012, or has remained unpatched for 180 days or more.
“The reason why some organisations still have neglected assets is because they have old applications that don’t support updated operating systems” the report said.
On average, according to Orca, organisations have 11 per cent of their assets in a neglected security state, and 10 per cent of organisations have more than 30 per cent of their workloads in a neglected security state; 19 per cent of identified attack paths use neglected assets as an initial access attack vector; and out of all neglected assets, the majority are containers and nearly half are running unsupported versions of Alpine operating system.
Vulnerabilities arise from misconfiguration of keys
Gartner predicts that through 2025, more than 99 per cent of cloud breaches will originate from preventable misconfigurations or mistakes by end users.
The AWS Key Management Service (KMS) allows administrators to create, delete and control keys that encrypt data stored in AWS databases and products. Eight per cent of organisations have configured a KMS key with public access policy. “This is particularly dangerous since it creates an easy attack vector for a malicious party,” the report said.
Furthermore, 99 per cent organisations use at least one default KMS key.
Seventy-nine per cent of organisations have at least one access key older than 90 days. It is best practice to configure access keys older than 90 days to be rotated, to limit the time a compromised set ofIAM (identity and access management) access keys could potentially provide access to AWS accounts, the report said.
About 51 per cent of organisations have a Google Storage bucket without uniform bucket-level access. “If access levels are not set uniformly, this means that an attacker could move laterally and obtain a higher access level, permission can escalate their privileges by creating or updating an inline policy for a role that they have access to,” the report noted.
Companies need to protect their crown jewels
A company’s crown jewels are its most valuable assets. They include personally identifiable information, customer and prospect databases, employee and HR information, corporate financials, intellectual property, and production servers. Crown jewels should be protected using the highest security standards and receive the highest priority when deciding which risks need to be remediated first.
About 36 per cent of organisations have sensitive data such as secrets and personally identifiable information in files, storage buckets, containers, and serverless environments.
“Encrypting sensitive data greatly reduces the likelihood that it is unintentionally exposed and can nullify the impact of a breach if the encryption remains unbroken,” the report said.
Furthermore, 35 per cent of organisations have at least one internet facing workload with sensitive information in a Git repository. “Cyber criminals can easily extract this information and use it to compromise your systems.” according to the Orca report.