Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/14/2020
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Cloud Providers Much Less Likely Than Enterprises to Get Breached

Pen-test results also show a majority of organizations have few protections against attackers already on the network.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

Security assessment vendor Coalfire recently analyzed data from some 800 penetration tests that emulated cyberattacks on customer networks. The exercise showed that cloud services providers — at least the big ones — have made significant security improvements in recent years and are more resistant to data breaches than large enterprise organizations.

Related Content:

Pen-Test Results Hint at Improvements in Enterprise Security

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

The cloud providers in Coalfire's study had substantially lesser high-risk vulnerabilities compared with organizations of a similar size with on-premises IT infrastructures. Only 19% of the vulnerabilities that Coalfire encountered on infrastructures belonging to large cloud providers fell into the high-risk category, compared with 35% on large enterprise networks. Similarly, 25% of vulnerabilities discovered on medium-sized cloud providers' platforms were high-risk, compared with 39% on networks belonging to medium-sized businesses.

When vulnerabilities do exist in cloud environments, a plurality (27%) result from insecure configuration. Cross-site scripting errors are another major — and perennial — vulnerability type, accounting for 27% of all vulnerabilities in cloud provider infrastructures.

"As cloud providers mature their security programs, they are seeing an overall lower number of critical issues during testing," says Mike Weber, vice president at Coalfire. "However, we are seeing the same types of issues occur for cloud providers year over year, which makes us wonder whether there needs to be a fundamental shift in our approach to security processes or technologies."

Coalfire's research also showed that most organizations are better prepared to handle external attackers than they are with attackers who might already be on their network. On average, only about one in six vulnerabilities that Coalfire's researchers uncovered during their pen tests gave external attackers a way to immediately compromise the network. In contrast, 50% of the issues that Coalfire discovered during internal penetration tests were critical and would have resulted in immediate network compromise. Another 37% would have provided attackers already on the network with a "significant" opportunity to compromise the environment.

"The most important thing that an enterprise can do to improve security is to harden their internal networks," Weber says. "Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways to neutralize the impact of adversaries gaining access to your internal environments," he says.

The top enterprise vulnerabilities that Coalfire discovered included insecure protocols, password flaws, issues with patching, and out-of-date software. Application vulnerabilities remain a concern, but considerably less so than a few years ago. Just 16% of the vulnerabilities that Coalfire discovered during application pen tests this year were high-risk flaws, compared with 36% last year. The security vendor attributed the drop to more secure development practices and the adoption of "shift-left" security testing practices aimed at catching security bugs early in the development cycle.

Similar Findings
Coalfire's conclusions about the relatively weak protections that most organizations have against attackers already on the network are similar to those that Positive Technologies recently arrived at as well. In internal penetration tests, researchers from Positive Technologies simulated attacks that would have been carried out by a malicious insider or someone with access to typical employee privileges. At 61% of organizations, researchers were able to gain easy access to domain administrator credentials. Thirty percent of the organizations had unpatched vulnerabilities from 2017.

Forty-seven percent of the actions the pen-testers took to create an attack vector involved legitimate actions that security administrators would likely not pay attention to because they couldn't be told apart from regular user activity.

"These include, for example, creating new privileged accounts on network nodes, creating a memory dump of the lsass.exe process, dumping registry branches, or sending requests to a domain controller," says Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies. "Since these actions are difficult to distinguish from the usual activities of users or administrators, attacks can go unnoticed."

Kilyusheva says that Positive Technologies' tests on corporate information systems uncovered a low level of protection against internal attackers. In internal penetration tests last year, the company's security researchers were able to obtain full control of infrastructure at all tested companies. The most commonly detected vulnerabilities were configuration flaws, such as insufficient protection against recovery of credentials from OS memory or lack of access control, and password policy flaws, she says. "In almost every project, we were able to brute-force user passwords, even for privileged users."

The sudden shift to remote work over the past six months as a result of the pandemic has exacerbated some of these issues. Anton Ovrutsky, adversarial collaboration engineer at Lares LLC, says some problem areas include the extension of the perimeter with split tunneling configurations and the potential for a home network to become part of the corporate network. Accelerating cloud usage is another concern. "Can you tell when an external user was added to your team's chat, for example?" he notes.

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...