As organizations across industries rapidly deploy more assets in the public cloud with Amazon, Microsoft, and Google, they’re leaving numerous paths open for exploitation, according to Orca Security.
Cloud estates are being breached through their weakest links of neglected internet-facing workloads, widespread authentication issues, discoverable secrets and credentials, and misconfigured storage buckets.
While public cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform keep their platforms secure, customers are still responsible for securing the workloads, data, and processes they run inside the cloud – just as they do in their on-prem world.
Such shared responsibility poses a serious challenge due to the speed and frequency of public cloud deployments. For most organizations, cloud workload security is dependent upon the installation and maintenance of security agents across all assets. However, IT security teams are not always informed of cloud deployments, so this lack of visibility results in missed vulnerabilities and attack vectors.
While organizations must secure their entire estate, attackers only need to find a single weak link to exploit,” said Avi Shua, CEO, Orca Security. “It’s imperative for organizations to have 100 percent public cloud visibility and know about all neglected assets, weak passwords, authentication issues, and misconfigurations to prioritize and fix. The Orca Security 2020 State of Public Cloud Security Report shows how just one gap in cloud coverage can lead to devastating data breaches.”
Neglected internet-facing workloads
Attackers look for vulnerable frontline workloads to gain entrance to cloud accounts and expand laterally within the environment. While security teams need to secure all public cloud assets, attackers only need to find one weak link.
- The study found more than 80 percent of organizations have at least one neglected, internet-facing workload – meaning it’s running on an unsupported operating system or has remained unpatched for 180 days or more
- Meanwhile, 60 percent have at least one neglected internet-facing workload that has reached its end of life and is no longer supported by manufacturer security updates
- 49 percent of organizations have at least one publicly accessible, unpatched web server despite increased awareness of how that can result in large data breaches
Authentication and credential issues
Weak security authentication is another way that attackers breach public cloud environments. Researchers found that authentication and password storage issues are commonplace.
- Almost half the organizations (44 percent) have internet-facing workloads containing secrets and credentials that include clear-text passwords, API keys, and hashed passwords that allow lateral movement across their environment
- Meanwhile, 24 percent have at least one cloud account that doesn’t use multi-factor authentication for the super admin user; 19 percent have cloud assets accessible via non- corporate credentials
- Additionally, five percent have cloud workloads that are accessible using either a weak or leaked password
Lateral movement risk
All weak links combine to pose serious cloud security and lateral movement attack risk for any organization. Attackers also take advantage of knowing that internal servers are less protected than external internet-facing servers and that they can expand rapidly in search of critical data once inside a cloud estate.
- The security posture of internal machines is much worse than internet-facing servers, with 77 percent of organizations having at least 10 percent of their internal workloads in a neglected security state
- Additionally, six percent of internet-facing assets contain SSH keys that could be used to access adjacent systems