Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/30/2020
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Misconfiguration Mishaps Businesses Must Watch

Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.

IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.

Related Content:

Missing Patches, Misconfiguration Top Technical Breach Causes

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.

"You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because they're moving so quickly … that's led to several compromises," explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.

Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.

"Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack," Reavis continues. Configuration management can help prevent these threats.

IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are here to stay. As a result, they should consider how to better strengthen their cloud security. 

"A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud," Reavis says.

When dealing with products like infrastructure-as-a-service, it's incumbent on cloud consumers to understand they're given a blank slate. It's on them to worry about encryption, identity management, and other parts of their cloud environments. 

[Check out Jim Reavis' upcoming talk, "Practical Solutions for Securing Your Cloud Services," on Oct. 5 during the Cybersecurity Crash Course at next week's Interop Digital]

Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data they're looking for.

"The blast radius of these is devastation," he says. "You can have a very small crack in your defenses, and if it's cloud misconfiguration-related, that can mean in five minutes all your data is gone."

Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.

"I guarantee you mistakes have been made because it's just too hard to not," he says.

A common mistake is placing too much trust in the "block public access" feature for AWS S3 buckets. Many people think when they turn this feature on, they're protected from attackers. But while it's a good step to take, it's "vastly incomplete," Stella says. An organization can have an exception to "block public access" that could expose its private information to the Internet.

Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazon's Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldn't necessarily have.

Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.

"These are extremely dangerous things to leave on because hackers' first, and often most difficult, job is discovery," Stella explains. "If you give them a map to your safe, that's a bad idea. They can probably break into your safe." Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure they're running, he says.

In his upcoming Interop Digital talk, "Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security," Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences. 

"It's really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things," he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.

"What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because they're there," Stella adds. "You have to think that way."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19274
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
CVE-2021-30211
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.
CVE-2021-30212
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter.
CVE-2021-30213
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter.
CVE-2021-30214
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter.