Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/14/2020
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Large Cloud Providers Much Less Likely Than Enterprises to Get Breached

Pen-test results also show a majority of organizations have few protections against attackers already on the network.

Major cloud services providers are about half as likely (46%) to experience a data breach compared with large enterprises, a new study suggests.

Security assessment vendor Coalfire recently analyzed data from some 800 penetration tests that emulated cyberattacks on customer networks. The exercise showed that cloud services providers — at least the big ones — have made significant security improvements in recent years and are more resistant to data breaches than large enterprise organizations.

Related Content:

Pen-Test Results Hint at Improvements in Enterprise Security

Special Report: Computing's New Normal, a Dark Reading Perspective

New on The Edge: Think You're Spending Enough on Security?

The cloud providers in Coalfire's study had substantially lesser high-risk vulnerabilities compared with organizations of a similar size with on-premises IT infrastructures. Only 19% of the vulnerabilities that Coalfire encountered on infrastructures belonging to large cloud providers fell into the high-risk category, compared with 35% on large enterprise networks. Similarly, 25% of vulnerabilities discovered on medium-sized cloud providers' platforms were high-risk, compared with 39% on networks belonging to medium-sized businesses.

When vulnerabilities do exist in cloud environments, a plurality (27%) result from insecure configuration. Cross-site scripting errors are another major — and perennial — vulnerability type, accounting for 27% of all vulnerabilities in cloud provider infrastructures.

"As cloud providers mature their security programs, they are seeing an overall lower number of critical issues during testing," says Mike Weber, vice president at Coalfire. "However, we are seeing the same types of issues occur for cloud providers year over year, which makes us wonder whether there needs to be a fundamental shift in our approach to security processes or technologies."

Coalfire's research also showed that most organizations are better prepared to handle external attackers than they are with attackers who might already be on their network. On average, only about one in six vulnerabilities that Coalfire's researchers uncovered during their pen tests gave external attackers a way to immediately compromise the network. In contrast, 50% of the issues that Coalfire discovered during internal penetration tests were critical and would have resulted in immediate network compromise. Another 37% would have provided attackers already on the network with a "significant" opportunity to compromise the environment.

"The most important thing that an enterprise can do to improve security is to harden their internal networks," Weber says. "Disabling Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS), and enabling server message block (SMB) signing across the enterprise are the most effective ways to neutralize the impact of adversaries gaining access to your internal environments," he says.

The top enterprise vulnerabilities that Coalfire discovered included insecure protocols, password flaws, issues with patching, and out-of-date software. Application vulnerabilities remain a concern, but considerably less so than a few years ago. Just 16% of the vulnerabilities that Coalfire discovered during application pen tests this year were high-risk flaws, compared with 36% last year. The security vendor attributed the drop to more secure development practices and the adoption of "shift-left" security testing practices aimed at catching security bugs early in the development cycle.

Similar Findings
Coalfire's conclusions about the relatively weak protections that most organizations have against attackers already on the network are similar to those that Positive Technologies recently arrived at as well. In internal penetration tests, researchers from Positive Technologies simulated attacks that would have been carried out by a malicious insider or someone with access to typical employee privileges. At 61% of organizations, researchers were able to gain easy access to domain administrator credentials. Thirty percent of the organizations had unpatched vulnerabilities from 2017.

Forty-seven percent of the actions the pen-testers took to create an attack vector involved legitimate actions that security administrators would likely not pay attention to because they couldn't be told apart from regular user activity.

"These include, for example, creating new privileged accounts on network nodes, creating a memory dump of the lsass.exe process, dumping registry branches, or sending requests to a domain controller," says Ekaterina Kilyusheva, head of the information security analytics research group at Positive Technologies. "Since these actions are difficult to distinguish from the usual activities of users or administrators, attacks can go unnoticed."

Kilyusheva says that Positive Technologies' tests on corporate information systems uncovered a low level of protection against internal attackers. In internal penetration tests last year, the company's security researchers were able to obtain full control of infrastructure at all tested companies. The most commonly detected vulnerabilities were configuration flaws, such as insufficient protection against recovery of credentials from OS memory or lack of access control, and password policy flaws, she says. "In almost every project, we were able to brute-force user passwords, even for privileged users."

The sudden shift to remote work over the past six months as a result of the pandemic has exacerbated some of these issues. Anton Ovrutsky, adversarial collaboration engineer at Lares LLC, says some problem areas include the extension of the perimeter with split tunneling configurations and the potential for a home network to become part of the corporate network. Accelerating cloud usage is another concern. "Can you tell when an external user was added to your team's chat, for example?" he notes.

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...