Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness

More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

Companies are doing better at protecting their cloud infrastructure, but holes still remain, with 80.7% of companies having at least one neglected, Internet-facing workload, according to a study published by cloud security firm Orca Security on July 28.

The majority of firms (58%) have a cloud server or asset running an end-of-life operating system or other software — such as Ubuntu 14.04 or Debian 8 — while 49% have a web server that has not been patched in six months. In addition, nearly a quarter of organizations have an administrator or root cloud account that does not have multifactor authentication enabled, according to the "2020 State of Public Cloud Security Risks" report.

Overall, businesses are working to lock down their public-facing cloud assets, but attackers only need to find one way in, says Avi Shua, CEO of Orca Security.

"This really comes down to coverage," he says. "You can be keeping up-to-date on 98% or 99% of the organization, but if you miss 1% or 2%, especially the ones that are facing the Internet, you are open to compromise. This is one of the unfair parts of security."

The report uses data from about 2 million scans of 300,000 public-cloud assets of companies that have tested the company's security service. Because such businesses are already focused on security, the results are likely a best case scenario, says Shua.

While a sprinkling of vulnerable servers, services, or other assets may not seem like a serious threat, the problem is that once inside a company's virtual infrastructure, security is much lower, Orca Security found. More than three-quarters of companies have significant portion of their internal workloads — at least 10% — in a "neglected" security state, with unpatched software and misconfigured services. In addition, about 44% of Internet-accessible workloads also had sensitive access data — "secrets" — and credentials, the firm stated in its report.

"The attackers only need a foothold and then they can rely on lateral movement," Shua says. "Once you go beyond the Internet-facing assets, even if they are not important, then you get into the internal network."

While only 2% of neglected workloads have some sort of sensitive information, more than three-quarters have a public storage bucket open to the public Internet.

Companies are only starting to adapt their security measures to the cloud, especially as the United States continues to deal with the coronavirus pandemic. More than 92% of security professionals feel that they lack the tools to detect even known security threats nor have the right approach to close vulnerabilities and security weaknesses, according to a report from security operations service provider LogRhythm. The situation has caused significant stress for security teams, with three-quarters of security professionals experiencing more stress than two years ago, the company's survey found.

"With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern," James Carder, chief security officer and vice president of LogRhythm Labs, said in a statement. "This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance."

Overall, the coronavirus pandemic has resulted in larger organizations accelerating their move to cloud services, Shua says. Small and midsize companies continue to struggle to expand their security efforts when it comes to the cloud, says Orca Security's Shua.

Cybercriminals have quickly followed businesses to the cloud, focusing on ways to gather credentials from remote workers to gain access to companies' public cloud infrastructure.

Yet companies often do not have adequate visibility into the security of their cloud platforms. More than half of security teams are dissatisfied with the visibility that they have into the security of their remote workers, according to a recent report released by virtual private networking firm NetMotion.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/29/2020 | 3:52:56 PM
Revenue Recognition vs Compliance vs Security - A path forward
Through a number of iterations of frontline and leadership roles in InfoSec, one tool I have found valuable to move stale systems forward on versions is to tie the security need to a compliance requirement, and then relate the compliance to a specific revenue stream. For example, generally speaking, compliance assessments and certifications are undertaken to satisfy client requirements. Be it ISO27001, PCI-DSS, HIPAA, FedRAMP, etc. Any instance in cloud that has a compliance requirement can usually be tied to one of these. This means that when a package or OS falls into EoL or has major security finding, you have a way to tie a revenue stream to the remediation.

It's impressive the about face that can occur when a patch or upgrade is associated, directly or indirectly, to protecting a 7 figure deal. It not ALWAYS effective, but it's a valuable lever to move the conversation along and illustrates a business risk focus to senior leadership. In doing so, we can move the perception of our work from  being alarmist to directly affecting the bottom line.
User Rank: Ninja
7/29/2020 | 10:22:39 AM
Keep the Lights On!
Unfortunately, the thought process of many is if its working DONT TOUCH IT. Which has implications that you are never upgrading until the business requires it. Even if your OS, app, or cloud workload falls out of support.

It's a foolish ideology that actually has more detriment long term.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
RiyaLab CloudISO event item is added, special characters in specific field of time management page are not properly filtered, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS (Cross-site scripting) attacks.
PUBLISHED: 2021-05-11
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/ action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.