Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/28/2020
03:00 PM
100%
0%

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness

More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

Companies are doing better at protecting their cloud infrastructure, but holes still remain, with 80.7% of companies having at least one neglected, Internet-facing workload, according to a study published by cloud security firm Orca Security on July 28.

The majority of firms (58%) have a cloud server or asset running an end-of-life operating system or other software — such as Ubuntu 14.04 or Debian 8 — while 49% have a web server that has not been patched in six months. In addition, nearly a quarter of organizations have an administrator or root cloud account that does not have multifactor authentication enabled, according to the "2020 State of Public Cloud Security Risks" report.

Overall, businesses are working to lock down their public-facing cloud assets, but attackers only need to find one way in, says Avi Shua, CEO of Orca Security.

"This really comes down to coverage," he says. "You can be keeping up-to-date on 98% or 99% of the organization, but if you miss 1% or 2%, especially the ones that are facing the Internet, you are open to compromise. This is one of the unfair parts of security."

The report uses data from about 2 million scans of 300,000 public-cloud assets of companies that have tested the company's security service. Because such businesses are already focused on security, the results are likely a best case scenario, says Shua.

While a sprinkling of vulnerable servers, services, or other assets may not seem like a serious threat, the problem is that once inside a company's virtual infrastructure, security is much lower, Orca Security found. More than three-quarters of companies have significant portion of their internal workloads — at least 10% — in a "neglected" security state, with unpatched software and misconfigured services. In addition, about 44% of Internet-accessible workloads also had sensitive access data — "secrets" — and credentials, the firm stated in its report.

"The attackers only need a foothold and then they can rely on lateral movement," Shua says. "Once you go beyond the Internet-facing assets, even if they are not important, then you get into the internal network."

While only 2% of neglected workloads have some sort of sensitive information, more than three-quarters have a public storage bucket open to the public Internet.

Companies are only starting to adapt their security measures to the cloud, especially as the United States continues to deal with the coronavirus pandemic. More than 92% of security professionals feel that they lack the tools to detect even known security threats nor have the right approach to close vulnerabilities and security weaknesses, according to a report from security operations service provider LogRhythm. The situation has caused significant stress for security teams, with three-quarters of security professionals experiencing more stress than two years ago, the company's survey found.

"With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern," James Carder, chief security officer and vice president of LogRhythm Labs, said in a statement. "This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance."

Overall, the coronavirus pandemic has resulted in larger organizations accelerating their move to cloud services, Shua says. Small and midsize companies continue to struggle to expand their security efforts when it comes to the cloud, says Orca Security's Shua.

Cybercriminals have quickly followed businesses to the cloud, focusing on ways to gather credentials from remote workers to gain access to companies' public cloud infrastructure.

Yet companies often do not have adequate visibility into the security of their cloud platforms. More than half of security teams are dissatisfied with the visibility that they have into the security of their remote workers, according to a recent report released by virtual private networking firm NetMotion.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFormer
100%
0%
RFormer,
User Rank: Author
7/29/2020 | 3:52:56 PM
Revenue Recognition vs Compliance vs Security - A path forward
Through a number of iterations of frontline and leadership roles in InfoSec, one tool I have found valuable to move stale systems forward on versions is to tie the security need to a compliance requirement, and then relate the compliance to a specific revenue stream. For example, generally speaking, compliance assessments and certifications are undertaken to satisfy client requirements. Be it ISO27001, PCI-DSS, HIPAA, FedRAMP, etc. Any instance in cloud that has a compliance requirement can usually be tied to one of these. This means that when a package or OS falls into EoL or has major security finding, you have a way to tie a revenue stream to the remediation.

It's impressive the about face that can occur when a patch or upgrade is associated, directly or indirectly, to protecting a 7 figure deal. It not ALWAYS effective, but it's a valuable lever to move the conversation along and illustrates a business risk focus to senior leadership. In doing so, we can move the perception of our work from  being alarmist to directly affecting the bottom line.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2020 | 10:22:39 AM
Keep the Lights On!
Unfortunately, the thought process of many is if its working DONT TOUCH IT. Which has implications that you are never upgrading until the business requires it. Even if your OS, app, or cloud workload falls out of support.

It's a foolish ideology that actually has more detriment long term.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25252
PUBLISHED: 2021-03-03
Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.
CVE-2021-26813
PUBLISHED: 2021-03-03
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
CVE-2021-27215
PUBLISHED: 2021-03-03
An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces (Admin, Userweb, Sidechannel) can use different methods to perform the authentication of a user. A specific authentication method during login does not check the...
CVE-2021-3419
PUBLISHED: 2021-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-15937
PUBLISHED: 2021-03-03
An improper neutralization of input vulnerability in FortiGate version 6.2.x below 6.2.5 and 6.4.x below 6.4.1 may allow a remote attacker to perform a stored cross site scripting attack (XSS) via the IPS and WAF logs dashboard.