How to Avoid a Cloud Misconfiguration-Caused Breach
It may not be a new source of threats, but it has emerged as one of the most widespread: Nine out of 10 organizations are vulnerable to cloud misconfiguration-linked breaches. These breaches cost enterprises $3.18 trillion a year with 21.2 billion records exposed. Keep in mind that these numbers are extremely conservative as 99% of all misconfigurations in the public cloud go unreported.
It doesn’t help that companies are failing to fix the misconfigurations in a timely manner as small and medium-sized businesses take, on average, 75 days to resolve them after they’re discovered, and larger enterprises take 88 days to do so. At least four out of five cloud production environments have “open to the internet” issues, which usually occur when an administrator misconfigures security settings, essentially exposing the environments—and the organizations using them—to the world.
So how should companies address these developments? Examine the most frequent cloud misconfigurations—which we’ve identified here based upon our experiences with customers—and then consider the following responses to them:
Unencrypted Disks and Assets
Unencrypted disks and assets account for the most common misconfigurations, as 83% of organizations encrypt, at best, just one-half of their sensitive data in the cloud. Some of our customers tell us, “There’s no critical data on these assets!” But how long will that last? That’s why we recommend the encryption of data at rest. This typically doesn’t bring significant additional costs, and it can make life much easier when infrastructure and regulations change in the future.
Insufficient Logging
Ninety-two percent of companies do not log access to cloud storage, which keeps security teams from conducting forensic analyses of incidents. The same percentage do not log access to cloud accounts beyond 90 days. We advise that teams implement comprehensive logging for cloud activity because it’s important to have the data to prove you are not compromised instead of solely using it to prove when you are. Security solutions have evolved well past network-only detection and are taking full advantage of data sourced from logs. To get a leg up on detection, take a hard look at what you are and aren’t logging.
Not only can logs help you identify threats, but they can also help in litigations. I worked on a forensic investigation several years back that involved business email compromise (BEC). In that instance, the attacker conducted a man-in-the-middle (MitM) attack to hijack an email thread which led to changed bank account numbers for a wire transfer for a very large sum. Unfortunately, the smaller company that was to receive the wire transfer did not have sufficient logging enabled to prove they were not the one compromised. You can probably imagine how much of a headache this was for them.
An Abundance of Guest Users
Only one-fifth of businesses have a proactive workplace collaboration security strategy. However, more than 44% rely on guest accounts to enable external access to their team collaboration instances or allow their employees to use external collaboration apps to connect with partner organizations. Frankly, it’s amazing how long guest accounts tend to linger—to the point where they become forgotten. That’s an accumulation of risks waiting to be exploited. An aged account led to the Colonial Pipeline attack when the old, unused account’s password was leaked through a third-party compromise.
Security teams can take a few actions to get ahead of this:
- Get inserted into the process—The security team should be made aware when these types of accounts are created
- Make them auditable—Create ways to easily pull a list of these accounts and audit them on a defined cadence
- Set guest accounts to expire—Where possible, set an expiration date for the account; make it policy that guest accounts expire and that guests must go through a renewal process
Overprivileged Users
Companies are granting excessive permissions; in fact, 91% of cloud accounts have permissions that have never been used at all. Nine out of ten users are not aware they have authorized extensive read-write permissions to third-party vendors. Overall, 44% of cloud user privileges involve misconfigured overprivileged user activity potentially leading to account takeovers and data exfiltration.
Clearly, the broader the access and privileges, the more potential for elevated and unnecessary risks. Adopting zero-trust can go a long way toward limiting access to resources that individuals do not need to access. Going beyond this, companies should also evaluate the least level of access users need in their role to be successful. In most cases, administrator-level access is typically not the answer.
Missing Multi-Factor Authentication (MFA)
Seven outof ten businesses do not use multifactor authentication for cloud access. This may be the last item mentioned, but it is by no means the least important. Every incident I’ve worked on involving an account compromise could have been prevented with the use of MFA. You may recall a code-hosting company called Code Spaces. If you haven’t, there’s a good reason for it. Code Spaces went out of business in 2014 as a result of an AWS console compromise. Their AWS administrator account was not configured with MFA and ended up being compromised; most of their data, backups, machine configurations and offsite backups were either partially or completely deleted forcing them to close their doors. This is not a unique example. Most of these types of breaches do not result in a business shutting its doors but, instead, sensitive data walking through them. MFA should be a minimum standard for all your accounts.
Ultimately, it’s important that organizations ensure that best practices are in place to manage their entire cloud infrastructure. Toward this goal, the Center for Internet Security (CIS) benchmarks lend guidance for the configuration of security options for Amazon Web Services, Google Cloud and Microsoft Azure, along with other cloud resources. The CIS benchmarks provide specific instructions for the effective implementation of identity and access management (IAM), MFA, logging, monitoring and additional critical processes and controls.
With this, security teams leverage greater visibility of their cloud environment and activity—including misconfigurations and resulting threats—so they better understand their exposure and take appropriate action.
