Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:05 PM
Connect Directly

Large Cloud Providers Much Less Likely Than Enterprises to Get Breached

Pen-test results also show a majority of organizations have few protections against attackers already on the network.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

Security assessment vendor Coalfire recently analyzed data from some 800 penetration tests that emulated cyberattacks on customer networks. The exercise showed that cloud services providers — at least the big ones — have made significant security improvements in recent years and are more resistant to data breaches than large enterprise organizations.

Related Content:

Pen-Test Results Hint at Improvements in Enterprise Security

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

The cloud providers in Coalfire's study had substantially lesser high-risk vulnerabilities compared with organizations of a similar size with on-premises IT infrastructures. Only 19% of the vulnerabilities that Coalfire encountered on infrastructures belonging to large cloud providers fell into the high-risk category, compared with 35% on large enterprise networks. Similarly, 25% of vulnerabilities discovered on medium-sized cloud providers' platforms were high-risk, compared with 39% on networks belonging to medium-sized businesses.

When vulnerabilities do exist in cloud environments, a plurality (27%) result from insecure configuration. Cross-site scripting errors are another major — and perennial — vulnerability type, accounting for 27% of all vulnerabilities in cloud provider infrastructures.

"As cloud providers mature their security programs, they are seeing an overall lower number of critical issues during testing," says Mike Weber, vice president at Coalfire. "However, we are seeing the same types of issues occur for cloud providers year over year, which makes us wonder whether there needs to be a fundamental shift in our approach to security processes or technologies."

Coalfire's research also showed that most organizations are better prepared to handle external attackers than they are with attackers who might already be on their network. On average, only about one in six vulnerabilities that Coalfire's researchers uncovered during their pen tests gave external attackers a way to immediately compromise the network. In contrast, 50% of the issues that Coalfire discovered during internal penetration tests were critical and would have resulted in immediate network compromise. Another 37% would have provided attackers already on the network with a "significant" opportunity to compromise the environment.

"The most important thing that an enterprise can do to improve security is to harden their internal networks," Weber says. "Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways to neutralize the impact of adversaries gaining access to your internal environments," he says.

The top enterprise vulnerabilities that Coalfire discovered included insecure protocols, password flaws, issues with patching, and out-of-date software. Application vulnerabilities remain a concern, but considerably less so than a few years ago. Just 16% of the vulnerabilities that Coalfire discovered during application pen tests this year were high-risk flaws, compared with 36% last year. The security vendor attributed the drop to more secure development practices and the adoption of "shift-left" security testing practices aimed at catching security bugs early in the development cycle.

Similar Findings
Coalfire's conclusions about the relatively weak protections that most organizations have against attackers already on the network are similar to those that Positive Technologies recently arrived at as well. In internal penetration tests, researchers from Positive Technologies simulated attacks that would have been carried out by a malicious insider or someone with access to typical employee privileges. At 61% of organizations, researchers were able to gain easy access to domain administrator credentials. Thirty percent of the organizations had unpatched vulnerabilities from 2017.

Forty-seven percent of the actions the pen-testers took to create an attack vector involved legitimate actions that security administrators would likely not pay attention to because they couldn't be told apart from regular user activity.

"These include, for example, creating new privileged accounts on network nodes, creating a memory dump of the lsass.exe process, dumping registry branches, or sending requests to a domain controller," says Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies. "Since these actions are difficult to distinguish from the usual activities of users or administrators, attacks can go unnoticed."

Kilyusheva says that Positive Technologies' tests on corporate information systems uncovered a low level of protection against internal attackers. In internal penetration tests last year, the company's security researchers were able to obtain full control of infrastructure at all tested companies. The most commonly detected vulnerabilities were configuration flaws, such as insufficient protection against recovery of credentials from OS memory or lack of access control, and password policy flaws, she says. "In almost every project, we were able to brute-force user passwords, even for privileged users."

The sudden shift to remote work over the past six months as a result of the pandemic has exacerbated some of these issues. Anton Ovrutsky, adversarial collaboration engineer at Lares LLC, says some problem areas include the extension of the perimeter with split tunneling configurations and the potential for a home network to become part of the corporate network. Accelerating cloud usage is another concern. "Can you tell when an external user was added to your team's chat, for example?" he notes.



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...