Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness

More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

Companies are doing better at protecting their cloud infrastructure, but holes still remain, with 80.7% of companies having at least one neglected, Internet-facing workload, according to a study published by cloud security firm Orca Security on July 28.

The majority of firms (58%) have a cloud server or asset running an end-of-life operating system or other software — such as Ubuntu 14.04 or Debian 8 — while 49% have a web server that has not been patched in six months. In addition, nearly a quarter of organizations have an administrator or root cloud account that does not have multifactor authentication enabled, according to the "2020 State of Public Cloud Security Risks" report.

Overall, businesses are working to lock down their public-facing cloud assets, but attackers only need to find one way in, says Avi Shua, CEO of Orca Security.

"This really comes down to coverage," he says. "You can be keeping up-to-date on 98% or 99% of the organization, but if you miss 1% or 2%, especially the ones that are facing the Internet, you are open to compromise. This is one of the unfair parts of security."

The report uses data from about 2 million scans of 300,000 public-cloud assets of companies that have tested the company's security service. Because such businesses are already focused on security, the results are likely a best case scenario, says Shua.

While a sprinkling of vulnerable servers, services, or other assets may not seem like a serious threat, the problem is that once inside a company's virtual infrastructure, security is much lower, Orca Security found. More than three-quarters of companies have significant portion of their internal workloads — at least 10% — in a "neglected" security state, with unpatched software and misconfigured services. In addition, about 44% of Internet-accessible workloads also had sensitive access data — "secrets" — and credentials, the firm stated in its report.

"The attackers only need a foothold and then they can rely on lateral movement," Shua says. "Once you go beyond the Internet-facing assets, even if they are not important, then you get into the internal network."

While only 2% of neglected workloads have some sort of sensitive information, more than three-quarters have a public storage bucket open to the public Internet.

Companies are only starting to adapt their security measures to the cloud, especially as the United States continues to deal with the coronavirus pandemic. More than 92% of security professionals feel that they lack the tools to detect even known security threats nor have the right approach to close vulnerabilities and security weaknesses, according to a report from security operations service provider LogRhythm. The situation has caused significant stress for security teams, with three-quarters of security professionals experiencing more stress than two years ago, the company's survey found.

"With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern," James Carder, chief security officer and vice president of LogRhythm Labs, said in a statement. "This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance."

Overall, the coronavirus pandemic has resulted in larger organizations accelerating their move to cloud services, Shua says. Small and midsize companies continue to struggle to expand their security efforts when it comes to the cloud, says Orca Security's Shua.

Cybercriminals have quickly followed businesses to the cloud, focusing on ways to gather credentials from remote workers to gain access to companies' public cloud infrastructure.

Yet companies often do not have adequate visibility into the security of their cloud platforms. More than half of security teams are dissatisfied with the visibility that they have into the security of their remote workers, according to a recent report released by virtual private networking firm NetMotion.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/29/2020 | 3:52:56 PM
Revenue Recognition vs Compliance vs Security - A path forward
Through a number of iterations of frontline and leadership roles in InfoSec, one tool I have found valuable to move stale systems forward on versions is to tie the security need to a compliance requirement, and then relate the compliance to a specific revenue stream. For example, generally speaking, compliance assessments and certifications are undertaken to satisfy client requirements. Be it ISO27001, PCI-DSS, HIPAA, FedRAMP, etc. Any instance in cloud that has a compliance requirement can usually be tied to one of these. This means that when a package or OS falls into EoL or has major security finding, you have a way to tie a revenue stream to the remediation.

It's impressive the about face that can occur when a patch or upgrade is associated, directly or indirectly, to protecting a 7 figure deal. It not ALWAYS effective, but it's a valuable lever to move the conversation along and illustrates a business risk focus to senior leadership. In doing so, we can move the perception of our work from  being alarmist to directly affecting the bottom line.
User Rank: Ninja
7/29/2020 | 10:22:39 AM
Keep the Lights On!
Unfortunately, the thought process of many is if its working DONT TOUCH IT. Which has implications that you are never upgrading until the business requires it. Even if your OS, app, or cloud workload falls out of support.

It's a foolish ideology that actually has more detriment long term.
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We are really excited about our new two tone authentication system!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.
PUBLISHED: 2020-12-01
HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.
PUBLISHED: 2020-12-01
ManageOne versions,,,, ,, 8.0.0 and 8.0.1 have a command injection vulnerability. An attacker with high privileges may exploit this vulnerability through some operations on the plug-in component. Due to insufficient input validation of ...
PUBLISHED: 2020-12-01
Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection vulnerability. An authenticated, remote attacker can craft specific request to exploit this vulnerability. Due to insufficient verification, this could be exploited to cause the attackers to obtain higher privilege.
PUBLISHED: 2020-11-30
Affected versions of Automation for Jira - Server allowed remote attackers to read and render files as mustache templates in files inside the WEB-INF/classes & <jira-installation>/jira/bin directories via a template injection vulnerability in Jira smart values using mustache partials. The ...