Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Cloud Misconfiguration Mishaps Businesses Must Watch

Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.

IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.

Related Content:

Missing Patches, Misconfiguration Top Technical Breach Causes

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.

"You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because they're moving so quickly … that's led to several compromises," explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.

"Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack," Reavis continues. Configuration management can help prevent these threats.

IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are here to stay. As a result, they should consider how to better strengthen their cloud security. 

"A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud," Reavis says.

When dealing with products like infrastructure-as-a-service, it's incumbent on cloud consumers to understand they're given a blank slate. It's on them to worry about encryption, identity management, and other parts of their cloud environments. 

[Check out Jim Reavis' upcoming talk, "Practical Solutions for Securing Your Cloud Services," on Oct. 5 during the Cybersecurity Crash Course at next week's Interop Digital]

Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data they're looking for.

"The blast radius of these is devastation," he says. "You can have a very small crack in your defenses, and if it's cloud misconfiguration-related, that can mean in five minutes all your data is gone."

Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.

"I guarantee you mistakes have been made because it's just too hard to not," he says.

A common mistake is placing too much trust in the "block public access" feature for AWS S3 buckets. Many people think when they turn this feature on, they're protected from attackers. But while it's a good step to take, it's "vastly incomplete," Stella says. An organization can have an exception to "block public access" that could expose its private information to the Internet.

Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazon's Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldn't necessarily have.

Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.

"These are extremely dangerous things to leave on because hackers' first, and often most difficult, job is discovery," Stella explains. "If you give them a map to your safe, that's a bad idea. They can probably break into your safe." Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure they're running, he says.

In his upcoming Interop Digital talk, "Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security," Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences. 

"It's really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things," he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.

"What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because they're there," Stella adds. "You have to think that way."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.