Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/28/2020
03:00 PM
100%
0%

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness

More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

Companies are doing better at protecting their cloud infrastructure, but holes still remain, with 80.7% of companies having at least one neglected, Internet-facing workload, according to a study published by cloud security firm Orca Security on July 28.

The majority of firms (58%) have a cloud server or asset running an end-of-life operating system or other software — such as Ubuntu 14.04 or Debian 8 — while 49% have a web server that has not been patched in six months. In addition, nearly a quarter of organizations have an administrator or root cloud account that does not have multifactor authentication enabled, according to the "2020 State of Public Cloud Security Risks" report.

Overall, businesses are working to lock down their public-facing cloud assets, but attackers only need to find one way in, says Avi Shua, CEO of Orca Security.

"This really comes down to coverage," he says. "You can be keeping up-to-date on 98% or 99% of the organization, but if you miss 1% or 2%, especially the ones that are facing the Internet, you are open to compromise. This is one of the unfair parts of security."

The report uses data from about 2 million scans of 300,000 public-cloud assets of companies that have tested the company's security service. Because such businesses are already focused on security, the results are likely a best case scenario, says Shua.

While a sprinkling of vulnerable servers, services, or other assets may not seem like a serious threat, the problem is that once inside a company's virtual infrastructure, security is much lower, Orca Security found. More than three-quarters of companies have significant portion of their internal workloads — at least 10% — in a "neglected" security state, with unpatched software and misconfigured services. In addition, about 44% of Internet-accessible workloads also had sensitive access data — "secrets" — and credentials, the firm stated in its report.

"The attackers only need a foothold and then they can rely on lateral movement," Shua says. "Once you go beyond the Internet-facing assets, even if they are not important, then you get into the internal network."

While only 2% of neglected workloads have some sort of sensitive information, more than three-quarters have a public storage bucket open to the public Internet.

Companies are only starting to adapt their security measures to the cloud, especially as the United States continues to deal with the coronavirus pandemic. More than 92% of security professionals feel that they lack the tools to detect even known security threats nor have the right approach to close vulnerabilities and security weaknesses, according to a report from security operations service provider LogRhythm. The situation has caused significant stress for security teams, with three-quarters of security professionals experiencing more stress than two years ago, the company's survey found.

"With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern," James Carder, chief security officer and vice president of LogRhythm Labs, said in a statement. "This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance."

Overall, the coronavirus pandemic has resulted in larger organizations accelerating their move to cloud services, Shua says. Small and midsize companies continue to struggle to expand their security efforts when it comes to the cloud, says Orca Security's Shua.

Cybercriminals have quickly followed businesses to the cloud, focusing on ways to gather credentials from remote workers to gain access to companies' public cloud infrastructure.

Yet companies often do not have adequate visibility into the security of their cloud platforms. More than half of security teams are dissatisfied with the visibility that they have into the security of their remote workers, according to a recent report released by virtual private networking firm NetMotion.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFormer
100%
0%
RFormer,
User Rank: Author
7/29/2020 | 3:52:56 PM
Revenue Recognition vs Compliance vs Security - A path forward
Through a number of iterations of frontline and leadership roles in InfoSec, one tool I have found valuable to move stale systems forward on versions is to tie the security need to a compliance requirement, and then relate the compliance to a specific revenue stream. For example, generally speaking, compliance assessments and certifications are undertaken to satisfy client requirements. Be it ISO27001, PCI-DSS, HIPAA, FedRAMP, etc. Any instance in cloud that has a compliance requirement can usually be tied to one of these. This means that when a package or OS falls into EoL or has major security finding, you have a way to tie a revenue stream to the remediation.

It's impressive the about face that can occur when a patch or upgrade is associated, directly or indirectly, to protecting a 7 figure deal. It not ALWAYS effective, but it's a valuable lever to move the conversation along and illustrates a business risk focus to senior leadership. In doing so, we can move the perception of our work from  being alarmist to directly affecting the bottom line.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2020 | 10:22:39 AM
Keep the Lights On!
Unfortunately, the thought process of many is if its working DONT TOUCH IT. Which has implications that you are never upgrading until the business requires it. Even if your OS, app, or cloud workload falls out of support.

It's a foolish ideology that actually has more detriment long term.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
CVE-2020-26159
PUBLISHED: 2020-09-30
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
CVE-2020-6654
PUBLISHED: 2020-09-30
A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.