Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets.
“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.
Who’s behind the attack?
Twilio is a cloud communications platform as a service (CPaaS) company, which provides web service APIs developers can use to add messaging, voice, and video in their web and mobile applications.
“The TaskRouter JS SDK is a library that allows customers to easily interact with Twilio TaskRouter, which provides an attribute-based routing engine that routes tasks to agents or processes,” Twilio explained.
The misconfigured AWS S3 bucket, which is used to serve public content from the domain twiliocdn.com, hosts copies of other SDKs, but only the TaskRouter SDK had been modified.
The misconfiguration allowed anybody on the Internet to read and write to the S3 bucket, and the opportunity was seized by the attacker(s).
“We do not believe this was an attack targeted at Twilio or any of our customers,” the company opined.
Jordan Herman, Threat Researcher at RiskIQ, which detailed previous threat campaigns that used the same malicious traffic redirector, told Help Net Security that because of how easy misconfigured Amazon S3 buckets are to find and the level of access they grant attackers, they are seeing attacks like this happening at an alarming rate.
Om Moolchandani, co-founder and CTO at code to cloud security company Accurics, noted that there are many similarities between waterhole attacks and the Twilio incident.
“Taking over a cloud hosted SDK allows attackers to ‘cloud waterhole’ into the victim environments by landing directly into the operation space of victims,” he said.
Due to this incident, Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they stored no production or customer data and haven’t been tampered with.
“During our incident review, we identified a number of systemic improvements that we can make to prevent similar issues from occurring in the future. Specifically, our teams will be engaging in efforts to restrict direct access to S3 buckets and deliver content only via our known CDNs, improve our monitoring of S3 bucket policy changes to quickly detect unsafe access policies, and determine the best way for us to provide integrity checking so customers can validate that they are using known good versions of our SDKs,” the company shared.
They say it’s difficult to gauge the impact on the attack on individual users, since the “links used in these attacks are deprecated and rotated and since the script itself doesn’t execute on all platforms.”
The company urges those who have downloaded a copy of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00) to re-download it, check its integrity and replace it.
“If your application loads v1.20 of the TaskRouter JS SDK dynamically from our CDN, that software has already been updated and you do not need to do anything,” they pointed out.
70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.
Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.
Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.
“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.
“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”
The unintentional open door: How attackers break in
Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.
Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.
Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.
Public cloud security incident: The silver lining
96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.
Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.
The ease and speed at which new cloud tools can be deployed is also making it harder for security teams to control their usage, IBM Security reveals.
According to the data, basic security oversight issues, including governance, vulnerabilities, and misconfigurations, remain the top risk factors organizations must address to secure increasingly cloud-based operations.
Additionally, an analysis of security incidents over the past year sheds light on how cybercriminals are targeting cloud environments with customized malware, ransomware and more.
With businesses rapidly moving to cloud to accommodate remote workforce demands, understanding the unique security challenges posed by this transition is essential for managing risk.
While the cloud enables many critical business and technology capabilities, ad-hoc adoption and management of cloud resources is also creating complexity for IT and cybersecurity teams.
According to IDC, more than a third of companies purchased 30+ types of cloud services from 16 different vendors in 2019 alone. This distributed landscape can lead to unclear ownership of security in the cloud, creating policy “blind spots” and potential for shadow IT to introduce vulnerabilities and misconfiguration.
Cloud environment threats and challenges
- Complex ownership: 66% of respondents surveyed say they rely on cloud providers for baseline security; yet perception of security ownership varied greatly across specific cloud platforms and applications.
- Cloud applications opening the door: The most common path for cybercriminals to compromise cloud environments was via cloud-based applications, representing 45% of incidents in IBM X-Force IRIS cloud-related case studies. Cybercriminals took advantage of configuration errors as well as vulnerabilities within the applications, which often remained undetected due to employees standing up new cloud apps on their own, outside of approved channels.
- Amplifying attacks: While data theft was the top impact of attacks in the cloud, hackers also targeted the cloud for cryptomining and ransomware3 – using cloud resources to amplify the effect of these attacks.
“The cloud holds enormous potential for business efficiency and innovation, but also can create a ‘wild west’ of broader and more distributed environments for organizations to manage and secure,” said Abhijit Chakravorty, Cloud Security Competency Leader, IBM Security Services.
“When done right, cloud can make security scalable and more adaptable – but first, organizations need to let go of legacy assumptions and pivot to new security approaches designed specifically for this new frontier of technology, leveraging automation wherever possible. This starts with a clear picture of regulatory obligations and compliance mandate, as well as the unique technical and policy-driven security challenges and external threats targeting the cloud.”
Who owns security in the cloud?
Organizations that rely heavily on cloud providers to own security in the cloud, despite the fact that configuration issues – which are typically users’ responsibility – are most often to blame for data breaches (accounting for more than 85% of all breached records in 2019).
Additionally, perceptions of security ownership in the cloud varied widely across various platforms and applications. For example, 73% of respondents believed public cloud providers were the main party responsible for securing software-as-a-service (SaaS), while only 42% believed providers were primarily responsible for securing cloud infrastructure-as-a-service (IaaS).
While this type of shared responsibility model is necessary for the hybrid, multi-cloud era, it can also lead to variable security policies and a lack of visibility across cloud environments. Organizations who are able streamline their cloud and security operations can help reduce this risk, through clearly defined policies which apply across their entire IT environment.
Top threats in the cloud: Data theft, cryptomining and ransomware
In order to get a better picture of how attackers are targeting cloud environments, incident response experts conducted an in-depth analysis of cloud-related cases the team responded to over the past year. The analysis found:
- Cybercriminals leading the charge: Financially motivated cybercriminals were the most commonly observed threat group category targeting cloud environments, though nation state actors are also a persistent risk.
- Exploiting cloud apps: The most common entry point for attackers was via cloud applications, including tactics such as brute-forcing, exploitation of vulnerabilities and misconfigurations. Vulnerabilities often remained undetected due to “shadow IT,” when an employee goes outside approved channels and stands up a vulnerable cloud app. Managing vulnerabilities in the cloud can be challenging, since vulnerabilities in cloud products remained outside the scope of traditional CVEs until 2020.
- Ransomware in the cloud: Ransomware was deployed 3x more than any other type of malware in cloud environments, followed by cryptominers and botnet malware.
- Data theft: Outside of malware deployment, data theft was the most common threat activity observed in breached cloud environments over the last year, ranging from personally identifying information to client-related emails.
- Exponential returns: Threat actors used cloud resources to amplify the effect of attacks like cryptomining and DDoS. Additionally, threat groups used the cloud to host their malicious infrastructure and operations, adding scale and an additional layer of obfuscation to remain undetected.
“Based on the trends in our incident response cases, it’s likely that malware cases targeting cloud will continue to expand and evolve as cloud adoption increases,” said Charles DeBeck, IBM X-Force IRIS.
“Malware developers have already begun making malware that disables common cloud security products, and designing malware that takes advantage of the scale and agility offered by the cloud.”
Maturing cloud security leads to faster security response
While the cloud revolution is posing new challenges for security teams, organizations who are able to pivot to a more mature and streamlined governance model for cloud security can reap significant benefits in their security agility and response capabilities.
The survey found that organizations who ranked high maturity in both Cloud and Security evolution were able to identify and contain data breaches faster than colleagues who were still in early phases of their cloud adoption journey.
In terms of data breach response time, the most mature organizations were able to identify and contain data breaches twice as fast as the least mature organizations (average threat lifecycle of 125 days vs. 250 days).
As the cloud becomes essential for business operations and an increasingly remote workforce, organizations should focus on the following elements to improve cybersecurity for hybrid, multi-cloud environments:
- Establish collaborative governance and culture: Adopt a unified strategy that combines cloud and security operations – across application developers, IT Operations and Security. Designate clear policies and responsibilities for existing cloud resources as well as for the acquisition of new cloud resources.
- Take a risk-based view: Assess the kinds workload and data you plan to move to the cloud and define appropriate security policies. Start with a risk-based assessment for visibility across your environment and create a roadmap for phasing cloud adoption.
- Apply strong access management: Leverage access management policies and tools for access to cloud resources, including multifactor authentication, to prevent infiltration using stolen credentials. Restrict privileged accounts and set all user groups to least-required privileges to minimize damage from account compromise (zero trust model).
- Have the right tools: Ensure tools for security monitoring, visibility and response are effective across all cloud and on-premise resources. Consider shifting to open technologies and standards which allow for greater interoperability between tools.
- Automate security processes: Implementing effective security automation in your system can improve your detection and response capabilities, rather than relying on manual reaction to events.
- Use proactive simulations to rehearse for various attack scenarios: This can help identify where blind spots may exist, and also address any potential forensic issues that may arise during attack investigation.
Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals.
According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.
“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic.
“In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”
Excessive access permissions may go unnoticed
Driven by the dynamic and on-demand nature of public cloud infrastructure deployments, users and applications often accumulate access permissions beyond what is necessary for their legitimate needs.
Excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. These are a primary target for attackers as they can be used for malicious activities such as stealing sensitive data, delivering malware or causing damage such as disrupting critical processes and business operations.
As part of the study, IDC surveyed 300 senior IT decision makers in the US across the Banking (12%), Insurance (10%), Healthcare (11%), Government (8%), Utilities (9%), Manufacturing (10%), Retail (9%), Media (11%), Software (10%) and Pharmaceutical (10%) sectors. Organizations ranged in size from 1,500 to more than 20,000 employees.
Some of the report’s key findings include:
- 79% of companies experienced at least one cloud data breach in the past 18 months, and 43% said they had 10 or more
- Top three cloud security threats are security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%)
- Top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%)
- Top cloud access security priorities are maintaining confidentiality of sensitive data (67%), regulatory compliance (61%) and providing the right level of access (53%)
- Top cloud access security challenges are insufficient personal/expertise (66%), integrating disparate security solutions (52%) and lack of solutions that can meet their needs (39%)
As breaches and hacks continue, and new vulnerabilities are uncovered, secure coding is being recognized as an increasingly important security concept — and not just for back-room techies anymore, Accurics reveals.
Cloud stack risk
“Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Sachin Aggarwal, CEO at Accurics.
“As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what’s needed is a holistic approach with consistent protection across the full cloud stack, as well as the ability to identify risks from configuration changes to deployed cloud infrastructure from a baseline established during development.
“The shift to infrastructure as code enables this; organizations now have an opportunity to redesign their cloud security strategy and move away from a point solution approach.”
Key takeaways from the research
- Misconfigurations of cloud native technologies across the full cloud native stack are a clear risk, increasing the attack surface, and being exploited by malicious actors.
- There is a significant shift towards provisioning and managing cloud infrastructure through code. This offers an opportunity for organizations to embed security earlier in the DevOps lifecycle. However, infrastructure as code is not being adequately secured, thanks in part to the lack of tools that can provide holistic protection.
- Even in scenarios where infrastructure as code actually is being governed, there are continuing problems from privileged users making changes directly to the cloud once infrastructure is provisioned. This creates posture drift from the secure baseline established through code.
Infrastructure as code
The research shows that securing cloud infrastructure in production isn’t enough. Researchers determined that only 4% of issues reported in production are actually being addressed. This is unsurprising since issue investigation and resolution at this late stage in the development lifecycle is challenging and costly.
A positive trend identified by the research is that there is a significant shift towards provisioning and managing cloud infrastructure through code to achieve agility and reliability.
Popular technologies include Terraform, Kubernetes, Docker, and OpenFaaS. Accurics’ research shows that 24% of configuration changes are made via code, which is encouraging given the fact that many of these technologies are relatively new.
Infrastructure as code provides organizations with an opportunity to embed security earlier in the development lifecycle. However, research revealed that organizations are not ensuring basic security and compliance hygiene across code.
The dangers are undeniable: high severity risks such as open security groups, overly permissive IAM roles, and exposed cloud storage services constituted 67% of the issues. This is particularly worrisome since these types of risks have been at the core of numerous high-profile cloud breaches.
The study also shows that even if organizations implement policy guardrails and security assessments across infrastructure as code, 90% of organizations allow privileged users to make configuration changes directly to cloud infrastructure after it is deployed. This unfortunately results in cloud posture drifting from the secure baseline established during development.
Recommended best practices
- The importance of protecting the full cloud native stack, including serverless, containers, platform, and infrastructure
- Embedding security earlier in the development lifecycle in order to reduce the attack surface before cloud infrastructure is provisioned, as well as monitor for incremental risks throughout its lifecycle
- Most importantly, preventing cloud posture drift from the secure baseline established during development once infrastructure is provisioned
Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.
Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.
2019 cyber attack trends: the “WHO”
The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.
The report is massive, so we’ll highlight some interesting tidbits and findings:
- 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
- 86% of breaches were financially motivated
- Organized criminal groups were behind 55% of breaches
- 72% of breaches involved large business victims
“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.
“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”
2019 cyber attack trends: the “HOW”
The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).
“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.
Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.
“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.
Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.
“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.
Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.
Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.
Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.
“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.
Use the information to improve defenses
An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.
Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.
“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.
“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”
What should organizations do to bolster their cyber security posture?
DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.
“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.
“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).
Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.
Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report.
The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business.
Data security is keeping IT professionals awake at night
Demonstrating the fear and trust issues experienced by IT professionals, the study found that IT professionals are more concerned about the security of their company’s data than the security of their own home.
- IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security.
- IT professionals have concerns about cloud service providers. 80 percent are concerned that cloud service providers they do business with will become competitors in their core markets.
- 75 percent of IT professionals view the public cloud as more secure than their own data centers, yet 92 percent of IT professionals do not trust their organization is well prepared to secure public cloud services.
- Nearly 80 percent of IT professionals say that recent data breaches experienced by other businesses have increased their organization’s focus on securing data moving forward.
Legacy data security approaches leave IT professionals playing whac-a-mole
IT professionals are using a patchwork of different cybersecurity products to try and address data security concerns, but face an uphill battle as these systems are seldom configured correctly.
- 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
- Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
- 59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
- The most common types of misconfigurations are:
- Over-privileged accounts (37 percent)
- Exposed web servers and other types of server workloads (35 percent)
- Lack of multi-factor authentication for access to key services (33 percent)
Shifting responsibility and security
Organizations are moving more business-critical workloads to the cloud than ever before, but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. Shifting responsibility is clearly a huge issue, and confusion has left IT security teams scrambling to address a growing threat landscape.
- Nearly 90 percent of companies are using SaaS and 76 percent are using IaaS. 50 percent expect to move all their data to the cloud in the next two years.
- Shared responsibility security models are causing confusion. Only 8 percent of IT security executives state that they fully understand the shared responsibility security model.
- 70 percent of IT professionals think too many specialized tools are required to secure their public cloud footprint.
- 75 percent of IT professionals have experienced data loss from a cloud service more than once.
It’s time to build a security-first model
To address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to help mitigate threats in an increasingly expanding digital world.
- 69 percent of organizations report their CISO reactively responds and gets involved in public cloud projects only after a cybersecurity incident has occurred.
- 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
- 88 percent of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
- 87 percent of IT professionals see AI/ML capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations.
“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud.
“Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”
“In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models. This is exposing existing vulnerabilities and creating new risks,” said Tony Buffomante, Global Co-Leader and U.S. Leader of KPMG’s Cyber Security Services.
“To be able to manage that increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business.”
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the agency noted.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
The most often exploited CVE-numbered vulnerabilities
The list of the ten most often exploited flaws between 2016 and 2019 includes seven affecting Microsoft offerings (Office, Windows, SharePoint, .NET Framework), one affecting Apache Struts, one Adobe Flash Player, and one Drupal.
They are as follows:
IT security professionals are advised to use this list alongside a similar one recently compiled by Recorded Future, which focuses on the ten most exploited vulnerabilities by cybercriminals in 2019.
In addition to all these flaws, CISA points to several others that have been under heavy exploitation in 2020:
Additional warnings and help
CISA has also warned organizations to check for oversights in their Microsoft O365 security configurations (and to implement these recommendations and to start fixing organizational cybersecurity weaknesses they might have.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365. Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” they noted.
Organizations can apply for CISA’s help in scanning internet-facing systems and web applications for vulnerabilities and misconfigurations – the agency offers free scanning and testing services (more info in the alert).
As most companies make the rapid shift to work-from-home to stem the spread of COVID-19, a significant percentage of IT and cloud professionals are concerned about maintaining the security of their cloud environments during the transition, according to a survey conducted by Fugue.
The survey found that 96% of cloud engineering teams are now 100% distributed and working from home in response to the crisis, with 83% having completed the transition or in the process of doing so.
Of those that are making the shift, 84% are concerned about new security vulnerabilities created during the swift adoption of new access policies, networks, and devices used for managing cloud infrastructure remotely.
“What our survey reveals is that cloud misconfiguration not only remains the number one cause of data breaches in the cloud, the rapid global shift to 100% distributed teams is creating new risks for organizations and opportunities for malicious actors,” said Phillip Merrick, CEO of Fugue.
“Knowing your cloud infrastructure is secure at all times is already a major challenge for even the most sophisticated cloud customers, and the current crisis is compounding the problem.”
84% are concerned they’ve already been hacked and don’t know it
Because cloud misconfiguration exploits can be so difficult to detect using traditional security analysis tools, even after the fact, 84% of IT professionals are concerned that their organization has already suffered a major cloud breach that they have yet to discover (39.7% highly concerned; 44.3% somewhat concerned). 28% state that they’ve already suffered a critical cloud data breach that they are aware of.
In addition, 92% are worried that their organization is vulnerable to a major cloud misconfiguration-related data breach (47.3% highly concerned; 44.3% somewhat concerned).
Over the next year, 33% believe cloud misconfigurations will increase and 43% believe the rate of misconfiguration will stay the same. Only 24% believe cloud misconfigurations will decrease at their organization.
Causes of cloud misconfiguration: Lack of awareness, controls, and oversight
Preventing cloud misconfiguration remains a significant challenge for cloud engineering and security teams. Every team operating on cloud has a misconfiguration problem, with 73% citing more than 10 incidents per day, 36% experiencing more than 100 per day, and 10% suffering more than 500 per day. 3% had no idea what their misconfiguration rate is.
The top causes of cloud misconfiguration cited are a lack of awareness of cloud security and policies (52%), a lack of adequate controls and oversight (49%), too many cloud APIs and interfaces to adequately govern (43%), and negligent insider behavior (32%).
Only 31% of teams are using open source policy-as-code tooling to prevent misconfiguration from happening, while 39% still rely on manual reviews before deployment.
Respondents cited a number of critical misconfiguration events they’ve suffered, including object storage breaches (32%), unauthorized traffic to a virtual server instance (28%), unauthorized access to database services (24%), overly-broad Identity and Access Management permissions (24%), unauthorized user logins (24%), and unauthorized API calls (25%).
Cloud misconfiguration was also cited as the cause of system downtime events (39%) and compliance violation events (34%).
73% still rely on manual processes
While malicious actors use automation tools to scan the internet to find cloud misconfigurations within minutes of their inception, most cloud teams still rely on slow, manual processes to address the problem.
73% use manual remediation once alerting or log analysis tools identify potential issues, and only 39% have put some automated remediation in place. 40% of cloud teams conduct manual audits of cloud environments to identify misconfiguration.
A reliance on manual approaches to managing cloud misconfiguration creates new problems, including human error in missing or miscategorizing critical misconfigurations (46%) and when remediating them (45%).
43% cite difficulties in training team members to correctly identify and remediate misconfiguration, and 39% face challenges in hiring enough cloud security experts. Issues such as false positives (31%) and alert fatigue (27%) were also listed as problems teams have encountered.
The metric for measuring the effectiveness of cloud misconfiguration management is Mean Time to Remediation (MTTR), and 55% think their ideal MTTR should be under one hour, with 20% saying it should be under 15 minutes.
However, 33% cited an actual MTTR of up to one day, and 15% said their MTTR is between one day and one week. 3% said their MTTR is longer than one week.
Managing cloud misconfiguration is costly
With cloud misconfiguration rates at such high levels and a widespread reliance on manual processes to manage it, the costs are predictably high for cloud customers. 49% of cloud engineering and security teams are devoting more than 50 man hours per week managing cloud misconfiguration, with 20% investing more than 100 hours on the problem.
When asked what they need to more effectively and efficiently manage cloud misconfiguration, 95% said tooling to automatically detect and remediate misconfiguration events would be valuable (72% very valuable; 23% somewhat valuable).
Others cited the need for better visibility into cloud infrastructure (30%), timely notifications on dangerous changes (i.e., “drift”) and misconfiguration (28%), and improved reporting to help prioritize remediation efforts (8%).
What is cloud misconfiguration?
Cloud security is about preventing the misconfiguration of cloud resources such as virtual servers, networks, and Identity and Access Management (IAM) services. Malicious actors exploit cloud misconfiguration to gain access to cloud environments, discover resources, and extract data.
The National Security Agency states that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”
With the cloud, there’s no perimeter that can be defended, exploits typically don’t traverse traditional networks, and legacy security tools generally aren’t effective. Because developers continuously build and modify their cloud infrastructure, the attack surface is highly fluid and expanding rapidly. Organizations widely recognized as cloud security leaders can fall victim to their own cloud misconfiguration mistakes.
With the Shared Responsibility Model, cloud providers such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform are responsible for the “security of the cloud,” and the customer is responsible for the “security in the cloud.”
While cloud providers can educate and alert their customers about potentially risky misconfigurations and good security practices, they can’t prevent their customers from making misconfiguration mistakes.
Human error and complex cloud deployments open the door to a wide range of cyber threats, according to Trend Micro.
Cloud security issues
Gartner predicts that by 2021, over 75% of midsize and large organizations will have adopted multi-cloud or hybrid IT strategy. As cloud platforms become more prevalent, IT and DevOps teams face additional concerns and uncertainties related to securing their cloud instances.
This report reaffirms that misconfigurations are the primary cause of cloud security issues. In fact, 230 million misconfigurations are identified on average each day, proving this risk is prevalent and widespread.
“Cloud-based operations have become the rule rather than the exception, and cybercriminals have adapted to capitalize on misconfigured or mismanaged cloud environments,” said Greg Young, vice president of cybersecurity for Trend Micro.
“We believe migrating to the cloud can be the best way to fix security problems by redefining the corporate IT perimeter and endpoints. However, that can only happen if organizations follow the shared responsibility model for cloud security.”
Criminals capitalizing on misconfigurations
The research found threats and security weaknesses in several key areas of cloud-based computing, which can put credentials and company secrets at risk. Criminals capitalizing on misconfigurations have targeted companies with ransomware, cryptomining, e-skimming and data exfiltration.
Misleading online tutorials compounded the risk for some businesses leading to mismanaged cloud credentials and certificates. IT teams can take advantage of cloud native tools to help mitigate these risks, but they should not rely solely on these tools, the report concludes.
Best practices to help secure cloud deployments
- Employ least privilege controls: Restricting access to only those who need it.
- Understand the Shared Responsibility Model: Although cloud providers have built-in security, customers are responsible for securing their own data.
- Monitor for misconfigured and exposed systems: Appropriate tools can quickly and easily identify misconfigurations in your cloud environments.
- Integrate security into DevOps culture: Security should be built into the DevOps process from the start.
Less than 50 percent of organizations can patch vulnerable systems swiftly enough to protect against critical threats and zero-day attacks, and 81 percent have suffered at least one data breach in the last two years, according to Automox.
The research surveyed 560 IT operations and security professionals at enterprises with between 500 and 25,000 employees, across more than 15 industries to benchmark the state of endpoint patching and hardening.
While most enterprises want to prioritize patching and endpoint hardening, they are inhibited by the pace of digital transformation and modern workforce evolution, citing difficulty in patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in SecOps and IT operations to successfully do so.
Missing patches and configurations are at the center of data breaches
The report confirmed that four out of five organizations have suffered at least one data breach in the last two years. When asked about the root causes, respondents placed phishing attacks (36%) at the top of the list, followed by:
- Missing operating systems patches (30%)
- Missing application patches (28%)
- Operating system misconfigurations (27%)
With missing patches and configurations cited more frequently than such high-profile issues as insider threats (26%), credential theft (22%), and brute force attacks (17%), three of the four most common issues can be addressed simply with better cyber hygiene.
Enterprises should patch within 24 hours
When critical vulnerabilities are discovered, cybercriminals can typically weaponize them within seven days. To ensure protection from the attacks that inevitably follow, security experts recommend that enterprises patch and harden all vulnerable systems within 72 hours.
Zero-day attacks, which emerge with no warning, pose an even greater challenge, and enterprises should aim to patch and harden vulnerable systems within 24 hours. Currently:
- Less than 50% of enterprises can meet the 72-hour standard and only about 20% can match the 24-hour threshold for zero-days.
- 59 percent agree that zero-day threats are a major issue for their organization because their processes and tools do not enable them to respond quickly enough.
- Only 39% strongly agree that their organizations can respond fast enough to critical and high severity vulnerabilities to remediate successfully.
- 15 percent of systems remained unpatched after 30 days.
- Almost 60% harden desktops, laptops and servers only monthly or annually, which is an invitation to adversaries.
With cyber hygiene, endpoints need to be scanned and assessed on a regular basis, and if problems are found, promptly patched or reconfigured. Automation dramatically speeds up cyber hygiene processes by enabling IT operations and SecOps staff to patch and harden more systems with less effort, while reducing the amount of system and application downtime needed for patching and hardening. Organizations that have fully automated endpoint patching and hardening are outperforming others in basic cyber hygiene tasks.
The modern workforce presents a cyber hygiene dilemma
Survey respondents are more confident in their ability to maintain cyber hygiene for on- premises computers and servers compared with remote and mobile systems such as servers on infrastructure as a Service (IaaS) cloud platforms, mobile devices (smartphones and tablets), and computers at remote locations. In fact, they rated their ability to maintain cyber hygiene for Bring Your Own Device (BYOD) lowest among all other IT components.
These patterns can be explained by the fact that most existing patch management tools don’t work well with cloud-based endpoints, and that virtual systems are very dynamic and therefore harder to monitor and protect than physical ones.
“Phishing has and will continue to be an issue for many organizations. As the Automox Cyber Hygiene Index highlights, 36% of data breaches involved phishing as the initial access technique used by attackers. Detecting phishing is extremely difficult, but giving your users the ability to report suspicious messages along with proper training goes a long way. You want your users to be part of your security team, and enabling them to report suspicious messages is one step towards this goal,” Josh Rickard, Swimlane Research Engineer, told Help Net Security.
“The combination of robust filtering and user enablement can drastically help with the detection of phishing attacks, but once they have been reported, you need automation to process and respond to them. More importantly, you need a platform that can automate and orchestrate across multiple tools and services. Using security, orchestration, automation and response (SOAR) for phishing alerts enables security teams to automatically process reported messages, make a determination based on multiple intelligence services/tools, respond by removing a message from a (or all) users mailboxes, and even search for additional messages with similar attributes throughout the organization. Having the ability to automate and orchestrate this response is critical for security teams and enables them to put their focus on other higher-value security-related issues,” Rickard concluded.
Nearly 33.4 billion records were exposed in breaches due to cloud misconfigurations in 2018 and 2019, amounting to nearly $5 trillion in costs to enterprises globally, according to DivvyCloud research.
Companies failing to adopt a holistic approach to security
Year over year from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records. Unfortunately, experts expect this upward trend to persist, as companies continue to adopt cloud services rapidly but fail to implement proper cloud security measures.
“The rush to adopt cloud services has created new opportunities for attackers – and attackers are evolving faster than companies can protect themselves. The fact that we have seen a 42% increase from 2018 to 2019 in cloud-related breaches attributed to misconfiguration issues proves that attackers are leveraging the opportunity to exploit cloud environments that are not sufficiently hardened. This trend is expected to continue as more organizations move to the cloud,” Charles “C.J.” Spallitta, Chief Product Officer at eSentire, told Help Net Security.
“Additionally, common misconfiguration errors that occur in cloud components expand and advance the attacker workflow. Real-time threat monitoring in cloud assets is critical, given the unprecedented rate of scale and nature of cloud services. Organizations should seek-out security services that distill the noise from on-premise and cloud-based security tools while providing broad visibility to enable rapid response when threats are found,” Spallitta concluded.
Key report findings
- 81 breaches in 2018; 115 in 2019 – a 42% increase
- Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each
- 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later
- 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments
- Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed
- The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019
- S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018
- MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY
Enterprises are slow to abandon manual processes, despite being short staffed, as the lack of automation, coupled with increasing network complexity risk and lack of visibility contribute to costly misconfigurations and increased risk, a FireMon report reveals. The report features feedback from nearly 600 respondents, including 20% from the executive ranks, detailing ongoing firewall operations in the spectrum of digital transformation initiatives. “In an age of increasing data breaches caused by human error, it is … More
The post Network complexity and lack of visibility contribute to misconfigurations and increased risk appeared first on Help Net Security.