Cloud

4/4/2018
04:53 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Misconfigured Clouds Compromise 424% More Records in 2017

Cybercriminals are increasingly aware of misconfigured systems and they're taking advantage, report IBM X-Force researchers.

Insider mistakes like networked backup incidents and misconfigured cloud servers caused nearly 70% of all compromised records in 2017, according to new data from IBM X-Force. These types of incidents affected 424% more records last year than the year prior, they report.

It wasn't all bad news from the IBM X-Force Threat Intelligence Index, which pulls insights on data from millions of endpoints across hundreds of countries. Researchers found 2.9 billion records were reported breached, nearly 25% less than the 4B reported in 2016. Frequently targeted industries saw a decline in attacks (18%) and security incidents (22%) since 2016, a drop that can be primarily attributed to a decline in Shellshock attacks throughout 2017.

Hackers aren't slowing down but they are changing their strategies, researchers say, swapping data breaches for ransomware. Instead of compromising large amounts of data, they decided it was more lucrative to lock down data access and demand ransom in return.

"Attackers are pretty much following the money," says Paul Griswold, director of strategy and product management at IBM X-Force. The shift to ransomware "wasn't super surprising," he says, since ransomware can be more profitable than stealing data. This idea extends to attacks like WannaCry and NotPetya, where the goal was seemingly destruction, not financial gain.

"Chances are, those guys were being paid by somebody," says Griswold of these attacks. While they didn't profit from the ransomware directly, he anticipates the threat actors didn't launch global ransomware campaigns "just for fun." They still earned money for the attacks.

The most common class of attack vector between 2016-2017 was injection attacks, which accounted for 79% of malicious activty on enterprise networks - nearly double what it was last year. Researchers say the reason injection attacks increased is because both botnet-based command injection local file inclusion attacks and command injection attacks used embedded coin-mining tools.

Still Foggy on Cloud Configuration

Businesses struggle to properly configure cloud servers, and cybercriminals know it. Inadvertent mistakes are costing companies big-time as attackers discover and target misconfigured cloud environments, IBM researchers report, and poorly configured systems were responsible for exposing more than 2 billion records that X-Force tracked in 2017.

Cloud misconfigurations are split into three categories: misconfigured cloud databases, which caused 566.4M breached records, publicly accessible cloud storage (345.8M), and improperly secured rsync backups or open Internet-connected network area storage devices (393.4M).

"I think this just goes to show the inexperience in doing that," says Griswold of moving to the cloud. "Chances are with on-prem, people understand how the data is stored and how the server is configured because they're the ones who did it … with cloud, it's a little bit different."

Several teams, DevOps and operations for example, put pressure on businesses to move to the cloud. "There's a whole bunch of desire to move things up to the cloud, and that's where things might be rushed," he says. "It's a learning curve, definitely."

Companies can better secure their cloud environments by involving the security teams as they move workloads to the cloud; it can't be limited to dev and IT. Because misconfigurations are often easy to detect, it helps to regularly conduct pentests and app code scans.

Low Grades for Incident Response

"When organizations got breached, we found a lot of times the response plans just weren't in place," says Griswold, explaining how the rise in ransomware highlighted companies' inability to cope with attacks.

An IBM Security study conducted last year found slow response times lead to more expensive attacks. Incidents that took longer than 30 days to contain cost $1M more than those contained in less than 30 days, an added incentive for businesses to shape their response strategies.

Many companies don't have any sort of incident response plan at all, and many of those who do have outdated plans and/or don't know how to execute on them. "Just because you have a plan in place doesn't mean you're going to know the ins and outs of it," says Griswold.

Researchers anticipate destructive ransomworms will continue to spread in 2018, as well as wide-spread vulnerabilities and sophisticated exploits targeting the public and private sectors. As they build incident response plans, Griswold urges businesses to ensure both technical controls and PR processes are in place, and have both PR and law firms on retainer.

"You need to think about those legal aspects," he cautions.  

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.