Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2018
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

49% of Cloud Databases Left Unencrypted

Businesses also leave information vulnerable in the cloud by failing to implement MFA and configure Kubernetes settings, new research reveals.

About half of all databases are left unencrypted – one of several security practices researchers say businesses overlook when protecting information stored in the cloud.

Researchers with Palo Alto Networks' Unit 42 threat research team examined cloud security threats from late May 2018 through September, considering how organizations manage threats as they balance risk and efficiency. There is work to be done, they found. Many aren't doing it.

Oftentimes it's because businesses don't think they're at risk, says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. "There's a lack of belief they're necessarily going to be targeted or an unwillingness to make an investment," she explains. The motivation to secure arrives after an incident, when data is stolen from places where it should have been protected.

Multifactor authentication (MFA) is another basic security practice that companies are slow to adopt, she continues, and it's becoming a must-have as account compromise grows in scale and velocity: Twenty-nine percent of organizations have potential account compromises, Unit 42 researchers report. Security teams should operate under the assumption it will eventually happen to them.

The lack of MFA surprises her given the growth of account compromise. "It's one of the simplest things that can be implemented to try to combat that," Miller-Osborn adds. While the process varies depending on corporate architecture, it's generally not difficult to implement MFA, which doesn't require new equipment and isn't expensive or time-consuming.

"SMS [authentication] has issues, but it's typically the most common way it's implemented and easier to get users to do it," she explains. When someone is targeted with SMS credential theft, it's usually because he is specifically sought out by attackers, who would need to have his email address or username, as well as access to his phone, in order to bypass the MFA.

"That can certainly happen – it's just not particularly common," she continues. Most people aren't at risk for this type of attack, but they are at risk for account compromise as they use more and more online accounts to manage every part of their lives, Miller-Osborn says. People often don't recognize the extent of detailed information companies have about them.

"We don't usually take the time to pause and think what happens when someone gets access to these accounts," she adds. "And people are still bad at using different passwords for all their accounts." Attackers don't need to invest much time or effort into stealing credentials, and when they're successful, they have very little chance of getting caught.

Twenty percent of organizations still don't enforce MFA for root users, and 27% still allow root user activities, researchers found. Over 40% of API access keys have not been rotated in a 90-day period, which Miller-Osborn says is "basically like giving away credentials."

If someone has an API key, it should be regularly rotated so if it's compromised, the window of access an attacker would have to the network is small. Key rotation limits the time frame during which a business could have lost data – meaning incident response triage can start sooner.

Cryptojacking Value Drops
Cryptojacking, a hot trend targeting public cloud environments earlier this year, is tapering off as attackers find greater value elsewhere. According to Unit 41, in May 25% of businesses had cryptojacking in their environments, but that fell to 11% in September. Researchers say that drop in activity directly correlates with the falling prices of cryptocurrencies this year.  

Cryptocurrency spiked from late 2017 into 2018, capturing the attention of hackers who wanted a piece of the profit. However, the latter half of 2018 has brought a dip in cryptocurrency value along with greater awareness of these types of attacks.

"That bubble has kind of burst," Miller-Osborn says. "The money isn't there that used to be there, that these people expected to be there." Researchers don't expect cryptojacking will go away entirely, however, and they anticipate a comeback if/when the value of digital currencies rises again. After all, most cybercriminals go where they think the money is.

Accepting Responsibility in the Cloud
In addition to encrypting data in the cloud and implementing MFA, Miller-Osborn advises companies to take a closer look at container security. Container adoption is ramping up, researchers say, and 25% of organizations use popular managed container services such as Amazon Elastic Container Service for Kubernetes and Azure Kubernetes Service.

If your organization is thinking about or adopting containers, it's imperative to make sure the right protections are in place. By default, pods in a Kubernetes cluster can receive traffic from any source – a setting 46% of businesses leave in place, exposing pods to network attacks. Further, 15% don't use identity and access management roles for access to Kubernetes clusters.

Part of the challenge in cloud security is determining what, exactly, you're responsible for. A lack of understanding revolves around separating which components of security a business is responsible for and which should be left to the cloud provider, Miller-Osborn adds. The specifics vary between cloud providers; if you're unsure what you should be securing, it's time to check.

Generally, researchers explain, the organization handles security in the cloud, patching host vulnerabilities, network traffic, user activities, and resource configuration. Cloud providers handle security "of" the cloud: routers, hypervisor, switches and hubs, and the data center.

"Moving data to the cloud doesn't change the fact that it's interesting to attackers," Miller-Osborn says. "They're still going to go after it."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...
CVE-2019-19415
PUBLISHED: 2020-07-08
The SIP module of some Huawei products have a denial of service (DoS) vulnerability. A remote attacker could exploit these three vulnerabilities by sending the specially crafted messages to the affected device. Due to the insufficient verification of the packets, successful exploit could allow the a...