Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/28/2020
03:00 PM
100%
0%

Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness

More than 80% of companies have at least one Internet-facing cloud asset that is more than six months out of date or running software that is no longer supported, according to scan data.

Companies are doing better at protecting their cloud infrastructure, but holes still remain, with 80.7% of companies having at least one neglected, Internet-facing workload, according to a study published by cloud security firm Orca Security on July 28.

The majority of firms (58%) have a cloud server or asset running an end-of-life operating system or other software — such as Ubuntu 14.04 or Debian 8 — while 49% have a web server that has not been patched in six months. In addition, nearly a quarter of organizations have an administrator or root cloud account that does not have multifactor authentication enabled, according to the "2020 State of Public Cloud Security Risks" report.

Overall, businesses are working to lock down their public-facing cloud assets, but attackers only need to find one way in, says Avi Shua, CEO of Orca Security.

"This really comes down to coverage," he says. "You can be keeping up-to-date on 98% or 99% of the organization, but if you miss 1% or 2%, especially the ones that are facing the Internet, you are open to compromise. This is one of the unfair parts of security."

The report uses data from about 2 million scans of 300,000 public-cloud assets of companies that have tested the company's security service. Because such businesses are already focused on security, the results are likely a best case scenario, says Shua.

While a sprinkling of vulnerable servers, services, or other assets may not seem like a serious threat, the problem is that once inside a company's virtual infrastructure, security is much lower, Orca Security found. More than three-quarters of companies have significant portion of their internal workloads — at least 10% — in a "neglected" security state, with unpatched software and misconfigured services. In addition, about 44% of Internet-accessible workloads also had sensitive access data — "secrets" — and credentials, the firm stated in its report.

"The attackers only need a foothold and then they can rely on lateral movement," Shua says. "Once you go beyond the Internet-facing assets, even if they are not important, then you get into the internal network."

While only 2% of neglected workloads have some sort of sensitive information, more than three-quarters have a public storage bucket open to the public Internet.

Companies are only starting to adapt their security measures to the cloud, especially as the United States continues to deal with the coronavirus pandemic. More than 92% of security professionals feel that they lack the tools to detect even known security threats nor have the right approach to close vulnerabilities and security weaknesses, according to a report from security operations service provider LogRhythm. The situation has caused significant stress for security teams, with three-quarters of security professionals experiencing more stress than two years ago, the company's survey found.

"With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern," James Carder, chief security officer and vice president of LogRhythm Labs, said in a statement. "This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance."

Overall, the coronavirus pandemic has resulted in larger organizations accelerating their move to cloud services, Shua says. Small and midsize companies continue to struggle to expand their security efforts when it comes to the cloud, says Orca Security's Shua.

Cybercriminals have quickly followed businesses to the cloud, focusing on ways to gather credentials from remote workers to gain access to companies' public cloud infrastructure.

Yet companies often do not have adequate visibility into the security of their cloud platforms. More than half of security teams are dissatisfied with the visibility that they have into the security of their remote workers, according to a recent report released by virtual private networking firm NetMotion.

Related Content:

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/29/2020 | 10:22:39 AM
Keep the Lights On!
Unfortunately, the thought process of many is if its working DONT TOUCH IT. Which has implications that you are never upgrading until the business requires it. Even if your OS, app, or cloud workload falls out of support.

It's a foolish ideology that actually has more detriment long term.
RFormer
100%
0%
RFormer,
User Rank: Author
7/29/2020 | 3:52:56 PM
Revenue Recognition vs Compliance vs Security - A path forward
Through a number of iterations of frontline and leadership roles in InfoSec, one tool I have found valuable to move stale systems forward on versions is to tie the security need to a compliance requirement, and then relate the compliance to a specific revenue stream. For example, generally speaking, compliance assessments and certifications are undertaken to satisfy client requirements. Be it ISO27001, PCI-DSS, HIPAA, FedRAMP, etc. Any instance in cloud that has a compliance requirement can usually be tied to one of these. This means that when a package or OS falls into EoL or has major security finding, you have a way to tie a revenue stream to the remediation.

It's impressive the about face that can occur when a patch or upgrade is associated, directly or indirectly, to protecting a 7 figure deal. It not ALWAYS effective, but it's a valuable lever to move the conversation along and illustrates a business risk focus to senior leadership. In doing so, we can move the perception of our work from  being alarmist to directly affecting the bottom line.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.