Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:05 PM
Connect Directly

Large Cloud Providers Much Less Likely Than Enterprises to Get Breached

Pen-test results also show a majority of organizations have few protections against attackers already on the network.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

Security assessment vendor Coalfire recently analyzed data from some 800 penetration tests that emulated cyberattacks on customer networks. The exercise showed that cloud services providers — at least the big ones — have made significant security improvements in recent years and are more resistant to data breaches than large enterprise organizations.

Related Content:

Pen-Test Results Hint at Improvements in Enterprise Security

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

The cloud providers in Coalfire's study had substantially lesser high-risk vulnerabilities compared with organizations of a similar size with on-premises IT infrastructures. Only 19% of the vulnerabilities that Coalfire encountered on infrastructures belonging to large cloud providers fell into the high-risk category, compared with 35% on large enterprise networks. Similarly, 25% of vulnerabilities discovered on medium-sized cloud providers' platforms were high-risk, compared with 39% on networks belonging to medium-sized businesses.

When vulnerabilities do exist in cloud environments, a plurality (27%) result from insecure configuration. Cross-site scripting errors are another major — and perennial — vulnerability type, accounting for 27% of all vulnerabilities in cloud provider infrastructures.

"As cloud providers mature their security programs, they are seeing an overall lower number of critical issues during testing," says Mike Weber, vice president at Coalfire. "However, we are seeing the same types of issues occur for cloud providers year over year, which makes us wonder whether there needs to be a fundamental shift in our approach to security processes or technologies."

Coalfire's research also showed that most organizations are better prepared to handle external attackers than they are with attackers who might already be on their network. On average, only about one in six vulnerabilities that Coalfire's researchers uncovered during their pen tests gave external attackers a way to immediately compromise the network. In contrast, 50% of the issues that Coalfire discovered during internal penetration tests were critical and would have resulted in immediate network compromise. Another 37% would have provided attackers already on the network with a "significant" opportunity to compromise the environment.

"The most important thing that an enterprise can do to improve security is to harden their internal networks," Weber says. "Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways to neutralize the impact of adversaries gaining access to your internal environments," he says.

The top enterprise vulnerabilities that Coalfire discovered included insecure protocols, password flaws, issues with patching, and out-of-date software. Application vulnerabilities remain a concern, but considerably less so than a few years ago. Just 16% of the vulnerabilities that Coalfire discovered during application pen tests this year were high-risk flaws, compared with 36% last year. The security vendor attributed the drop to more secure development practices and the adoption of "shift-left" security testing practices aimed at catching security bugs early in the development cycle.

Similar Findings
Coalfire's conclusions about the relatively weak protections that most organizations have against attackers already on the network are similar to those that Positive Technologies recently arrived at as well. In internal penetration tests, researchers from Positive Technologies simulated attacks that would have been carried out by a malicious insider or someone with access to typical employee privileges. At 61% of organizations, researchers were able to gain easy access to domain administrator credentials. Thirty percent of the organizations had unpatched vulnerabilities from 2017.

Forty-seven percent of the actions the pen-testers took to create an attack vector involved legitimate actions that security administrators would likely not pay attention to because they couldn't be told apart from regular user activity.

"These include, for example, creating new privileged accounts on network nodes, creating a memory dump of the lsass.exe process, dumping registry branches, or sending requests to a domain controller," says Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies. "Since these actions are difficult to distinguish from the usual activities of users or administrators, attacks can go unnoticed."

Kilyusheva says that Positive Technologies' tests on corporate information systems uncovered a low level of protection against internal attackers. In internal penetration tests last year, the company's security researchers were able to obtain full control of infrastructure at all tested companies. The most commonly detected vulnerabilities were configuration flaws, such as insufficient protection against recovery of credentials from OS memory or lack of access control, and password policy flaws, she says. "In almost every project, we were able to brute-force user passwords, even for privileged users."

The sudden shift to remote work over the past six months as a result of the pandemic has exacerbated some of these issues. Anton Ovrutsky, adversarial collaboration engineer at Lares LLC, says some problem areas include the extension of the perimeter with split tunneling configurations and the potential for a home network to become part of the corporate network. Accelerating cloud usage is another concern. "Can you tell when an external user was added to your team's chat, for example?" he notes.



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...