Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:05 PM
Connect Directly

Large Cloud Providers Much Less Likely Than Enterprises to Get Breached

Pen-test results also show a majority of organizations have few protections against attackers already on the network.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

Security assessment vendor Coalfire recently analyzed data from some 800 penetration tests that emulated cyberattacks on customer networks. The exercise showed that cloud services providers — at least the big ones — have made significant security improvements in recent years and are more resistant to data breaches than large enterprise organizations.

Related Content:

Pen-Test Results Hint at Improvements in Enterprise Security

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

The cloud providers in Coalfire's study had substantially lesser high-risk vulnerabilities compared with organizations of a similar size with on-premises IT infrastructures. Only 19% of the vulnerabilities that Coalfire encountered on infrastructures belonging to large cloud providers fell into the high-risk category, compared with 35% on large enterprise networks. Similarly, 25% of vulnerabilities discovered on medium-sized cloud providers' platforms were high-risk, compared with 39% on networks belonging to medium-sized businesses.

When vulnerabilities do exist in cloud environments, a plurality (27%) result from insecure configuration. Cross-site scripting errors are another major — and perennial — vulnerability type, accounting for 27% of all vulnerabilities in cloud provider infrastructures.

"As cloud providers mature their security programs, they are seeing an overall lower number of critical issues during testing," says Mike Weber, vice president at Coalfire. "However, we are seeing the same types of issues occur for cloud providers year over year, which makes us wonder whether there needs to be a fundamental shift in our approach to security processes or technologies."

Coalfire's research also showed that most organizations are better prepared to handle external attackers than they are with attackers who might already be on their network. On average, only about one in six vulnerabilities that Coalfire's researchers uncovered during their pen tests gave external attackers a way to immediately compromise the network. In contrast, 50% of the issues that Coalfire discovered during internal penetration tests were critical and would have resulted in immediate network compromise. Another 37% would have provided attackers already on the network with a "significant" opportunity to compromise the environment.

"The most important thing that an enterprise can do to improve security is to harden their internal networks," Weber says. "Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways to neutralize the impact of adversaries gaining access to your internal environments," he says.

The top enterprise vulnerabilities that Coalfire discovered included insecure protocols, password flaws, issues with patching, and out-of-date software. Application vulnerabilities remain a concern, but considerably less so than a few years ago. Just 16% of the vulnerabilities that Coalfire discovered during application pen tests this year were high-risk flaws, compared with 36% last year. The security vendor attributed the drop to more secure development practices and the adoption of "shift-left" security testing practices aimed at catching security bugs early in the development cycle.

Similar Findings
Coalfire's conclusions about the relatively weak protections that most organizations have against attackers already on the network are similar to those that Positive Technologies recently arrived at as well. In internal penetration tests, researchers from Positive Technologies simulated attacks that would have been carried out by a malicious insider or someone with access to typical employee privileges. At 61% of organizations, researchers were able to gain easy access to domain administrator credentials. Thirty percent of the organizations had unpatched vulnerabilities from 2017.

Forty-seven percent of the actions the pen-testers took to create an attack vector involved legitimate actions that security administrators would likely not pay attention to because they couldn't be told apart from regular user activity.

"These include, for example, creating new privileged accounts on network nodes, creating a memory dump of the lsass.exe process, dumping registry branches, or sending requests to a domain controller," says Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies. "Since these actions are difficult to distinguish from the usual activities of users or administrators, attacks can go unnoticed."

Kilyusheva says that Positive Technologies' tests on corporate information systems uncovered a low level of protection against internal attackers. In internal penetration tests last year, the company's security researchers were able to obtain full control of infrastructure at all tested companies. The most commonly detected vulnerabilities were configuration flaws, such as insufficient protection against recovery of credentials from OS memory or lack of access control, and password policy flaws, she says. "In almost every project, we were able to brute-force user passwords, even for privileged users."

The sudden shift to remote work over the past six months as a result of the pandemic has exacerbated some of these issues. Anton Ovrutsky, adversarial collaboration engineer at Lares LLC, says some problem areas include the extension of the perimeter with split tunneling configurations and the potential for a home network to become part of the corporate network. Accelerating cloud usage is another concern. "Can you tell when an external user was added to your team's chat, for example?" he notes.



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.