Cloud

4/4/2018
04:53 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Misconfigured Clouds Compromise 424% More Records in 2017

Cybercriminals are increasingly aware of misconfigured systems and they're taking advantage, report IBM X-Force researchers.

Insider mistakes like networked backup incidents and misconfigured cloud servers caused nearly 70% of all compromised records in 2017, according to new data from IBM X-Force. These types of incidents affected 424% more records last year than the year prior, they report.

It wasn't all bad news from the IBM X-Force Threat Intelligence Index, which pulls insights on data from millions of endpoints across hundreds of countries. Researchers found 2.9 billion records were reported breached, nearly 25% less than the 4B reported in 2016. Frequently targeted industries saw a decline in attacks (18%) and security incidents (22%) since 2016, a drop that can be primarily attributed to a decline in Shellshock attacks throughout 2017.

Hackers aren't slowing down but they are changing their strategies, researchers say, swapping data breaches for ransomware. Instead of compromising large amounts of data, they decided it was more lucrative to lock down data access and demand ransom in return.

"Attackers are pretty much following the money," says Paul Griswold, director of strategy and product management at IBM X-Force. The shift to ransomware "wasn't super surprising," he says, since ransomware can be more profitable than stealing data. This idea extends to attacks like WannaCry and NotPetya, where the goal was seemingly destruction, not financial gain.

"Chances are, those guys were being paid by somebody," says Griswold of these attacks. While they didn't profit from the ransomware directly, he anticipates the threat actors didn't launch global ransomware campaigns "just for fun." They still earned money for the attacks.

The most common class of attack vector between 2016-2017 was injection attacks, which accounted for 79% of malicious activty on enterprise networks - nearly double what it was last year. Researchers say the reason injection attacks increased is because both botnet-based command injection local file inclusion attacks and command injection attacks used embedded coin-mining tools.

Still Foggy on Cloud Configuration

Businesses struggle to properly configure cloud servers, and cybercriminals know it. Inadvertent mistakes are costing companies big-time as attackers discover and target misconfigured cloud environments, IBM researchers report, and poorly configured systems were responsible for exposing more than 2 billion records that X-Force tracked in 2017.

Cloud misconfigurations are split into three categories: misconfigured cloud databases, which caused 566.4M breached records, publicly accessible cloud storage (345.8M), and improperly secured rsync backups or open Internet-connected network area storage devices (393.4M).

"I think this just goes to show the inexperience in doing that," says Griswold of moving to the cloud. "Chances are with on-prem, people understand how the data is stored and how the server is configured because they're the ones who did it … with cloud, it's a little bit different."

Several teams, DevOps and operations for example, put pressure on businesses to move to the cloud. "There's a whole bunch of desire to move things up to the cloud, and that's where things might be rushed," he says. "It's a learning curve, definitely."

Companies can better secure their cloud environments by involving the security teams as they move workloads to the cloud; it can't be limited to dev and IT. Because misconfigurations are often easy to detect, it helps to regularly conduct pentests and app code scans.

Low Grades for Incident Response

"When organizations got breached, we found a lot of times the response plans just weren't in place," says Griswold, explaining how the rise in ransomware highlighted companies' inability to cope with attacks.

An IBM Security study conducted last year found slow response times lead to more expensive attacks. Incidents that took longer than 30 days to contain cost $1M more than those contained in less than 30 days, an added incentive for businesses to shape their response strategies.

Many companies don't have any sort of incident response plan at all, and many of those who do have outdated plans and/or don't know how to execute on them. "Just because you have a plan in place doesn't mean you're going to know the ins and outs of it," says Griswold.

Researchers anticipate destructive ransomworms will continue to spread in 2018, as well as wide-spread vulnerabilities and sophisticated exploits targeting the public and private sectors. As they build incident response plans, Griswold urges businesses to ensure both technical controls and PR processes are in place, and have both PR and law firms on retainer.

"You need to think about those legal aspects," he cautions.  

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...