Upgrade your cybersecurity credentials with Penn State – online
Penn State World Campus has several top-ranked cybersecurity degrees and certificates designed for all levels of experience, available entirely online. The programs can help you strengthen your cybersecurity knowledge and build skills to leverage immediately in your current position and for long-term career success.Learn more
By InfoSecurity Professional Staff
Despite recent years’ acceleration into cloud-native environments—or perhaps because of it—remediations for cloud misconfigurations are still measured in weeks and months, not days, on average. This lag also comes at a time when watering hole attacks like the one tied to SolarWinds are coming for the cloud, according to a study released earlier this year.
“Our research indicates that teams are rapidly adopting managed services, which certainly increase productivity and maintain development velocity,” said Accurics co-founder and CTO Om Moolchandani, in a prepared statement. “However, these teams unfortunately aren’t keeping up with the associated risks. We see a reliance on using default security profiles and configurations, along with excessive permissions.”
Among the key findings in the company’s latest, longitudinal Cloud Cyber Resilience Report:
- 35% of analyzed organizations struggle with improper use of role-based access controls in the cloud, resulting in roles with more permissions than needed
- One in 10 enterprises pay for advanced cloud security capabilities they never use
- Poorly configured managed infrastructure services account for a quarter of all noted cloud-related “violations” that allow attackers to surveil, steal and modify data
- Hardcoded secrets represent almost 10% of identified violations. Another 23% correspond to poorly configured managed services offerings
More breaches through insecure cloud configurations
To arrive at its findings, Accurics compared industry benchmarks and established best practices against real-world projects built with tools like Terraform, Kubernetes and Helm and run mainly on Amazon Web Services, Microsoft Azure or Google Cloud Platform. Using an open source tool, researchers flagged incidents where code did not conform to established security policies. If the infraction involved applying noncompliant updates to otherwise conforming runtime configurations, it was declared a “drift.”
“Drifts are caused by configuration changes applied directly to the runtime environment, either manually or through automated tools such as analytics and orchestration,” according to the report.
Researchers concluded many violations resulted from development teams “stumbling over misconfigured storage services, security groups and mappings, hardcoded secrets, and networking.” Twenty-three percent of all violations came from poorly configured managed service offerings, particularly sticking with underwhelming default security settings.
Lags to fix known flaws
The Accurics research found it took an average of 25 days from a flaw’s discovery to remediation, during which time companies are more vulnerable. It took about 21 days to remedy typical drift issues and up to 149 days to deal with certain violations.
Kubernetes users were cited for failing to provide proper granularity when implementing role-based access controls. “This increases credential reuse and the chance of misuse—in fact, 35% of the organizations evaluated struggle with this problem,” according to the report.
“Improper use of the default namespace—where system components run—was the most common mistake, which could give attackers access to the system components or secrets,” researchers added.
The report recommended automated audits for coding consistency and policy compliance for work done within cloud environments.
Watering hole attacks on the rise
The report also homed in on the impact of the SolarWinds attack, in which malicious actors modified source code then masked it, to make it appear to come from an authorized developer. Attackers spent months surreptitiously spying on tens of thousands of SolarWinds customers before the targeted-yet-wide-sweeping, watering hole–style attack was discovered. Now, with more developers working in and for cloud environments, expect these types of attacks to grow in frequency and sophistication.
“When working in the cloud, all environments should be treated as production because they are equally exposed, and they often share roles and credentials,” Accurics researchers said. “If one environment is compromised, we must assume that all environments using the same roles are compromised.”
The study underscores how crucial supply chain security and cloud security have become as more functions, including software development, shift to public, private and hybrid cloud platforms. Everyone from executives to entry-level developers must understand that the shift to new cloud-based services from existing systems significantly alters threat profiles unless proactive steps are taken.
Such steps include paying closer attention to misconfigurations and applying swift remediation. Mistakes happen. It’s how a company responds that can make all the difference.