Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/22/2021
10:10 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Evolving Risks, Insecure Defaults, Watering Hole Threats: New Research From Accurics Uncovers Developing Sources of Cloud Risk

Pleasanton, CA, February 22, 2021 – Accurics, the cloud cyber resilience specialist, today unveiled its latest research, “Accurics Cloud Cyber Resilience Report,” which highlights security risks identified in cloud native environments. The findings reveal an increased adoption of managed infrastructure services and the emergence of new cloud watering hole attacks. Of all violations identified, 23 percent correspond to poorly configured managed service offerings – largely the result of default security profiles or configurations that offer excessive permissions.

As demonstrated by a recent high-profile hack, attackers increasingly strive to leverage weaknesses that enable them to deliver malware to end users, gain unauthorized access to production environments or their data, or completely compromise a target environment. This strategy is known as a watering hole attack, and Accurics researchers have seen them emerge in cloud environments where they can cause even more damage. This is partly because development processes in the cloud that leverage managed services are not hidden inside the organization as they are in on-premise environments – in fact, they’re largely exposed to the world. When criminals are able to exploit misconfigurations in development pipelines, it can spell disaster not only for the company but also its customers. To address this risk, enterprises should assume the entire development process is easily accessible, and restrict access to only the users who need it.

“Cloud native apps and services are more vital than ever before, and any risk in the infrastructure has critical implications,” said Accurics Co-founder, CTO & CISO Om Moolchandani. “Our research indicates that teams are rapidly adopting managed services, which certainly increase productivity and maintain development velocity. However, these teams unfortunately aren’t keeping up with the associated risks – we see a reliance on using default security profiles and configurations, along with excessive permissions. Messaging services and FaaS are also entering a perilous phase of adoption, just as storage buckets experienced a few years ago. If history is any guide, we’ll start seeing more breaches through insecure configurations around these services.”

On average, the research reveals that the mean time to remediate issues (MTTR) for violations is 25 days across all environments – a luxury for potential attackers. In this report, MTTR is particularly important as it pertains to drift – when configuration changes occur in runtime, causing cloud risk posture to drift from established secure baselines. For drifts from established secure infrastructure postures, the MTTR is 8 days overall.

Even organizations that establish a secure baseline when infrastructure is provisioned will experience drift over time, as happened in another well-publicized breach. While in this case the AWS S3 bucket was configured correctly at the time it was added to the environment in 2015, a configuration change made five months later to fix a problem was not properly reset once the work was complete. This drift went undetected and unaddressed until it was exploited nearly five years later.

The Accurics report also finds that:

  • Kubernetes users who try to implement role-based access controls (RBAC) often fail to define roles at the proper granularity. This increases credential reuse and the chance of misuse – in fact, 35% of the organizations evaluated struggle with this problem.
  • In Helm charts, 48% of problems came about through insecure defaults. Improper use of the default namespace – where system components run – was the most common mistake, which could give attackers access to the system components or secrets.
  • Identity and Access Management defined through Infrastructure as code (IaC) in production environments was seen for the first time, and more than a third (35%) of the IAM drifts detected in this report originate in IaC. This indicates a rapid adoption of IAM as Code, which could lead to risk of misconfigured roles.
  • Hardcoded secrets represent almost 10% of violations identified; 23% correspond to poorly configured managed services offerings.
  • Of the organizations tested, 10% actually pay for advanced security capabilities that are never enabled.
  • While the average time to fix infrastructure misconfigurations was about 25 days, the most critical portions of the infrastructure often take the most time to fix – for example, load-balancing services take an average of 149 days to remedy. Since all user-facing data flows through these resources, they should ideally be fixed the fastest, not the slowest.

Protecting cloud infrastructure requires a fundamentally new approach that embeds security earlier in the development lifecycle and maintains a secure posture throughout. The cloud infrastructure must be continuously monitored in runtime for configuration changes and assessed for risk. In situations where configuration change introduces a risk, the cloud infrastructure must be redeployed based on the secure baseline; this will ensure that any risky changes made accidentally or maliciously are automatically overwritten. With new attacks emerging and ongoing risks continuing to plague organizations, cloud cyber resilience is now more important than ever, and configuration hygiene is critical.

Download a copy of the Accurics Cloud Cyber Resilience Report at http://bit.ly/cloudcyber.

About Accurics

At Accurics™, we envision a world where organizations can innovate in the cloud with confidence. Our mission is to enable cyber resilience through self-healing as organizations embrace cloud native infrastructure. The Accurics platform self-heals cloud native infrastructure by codifying security throughout the development lifecycle. It programmatically detects and resolves risks across Infrastructure as Code before infrastructure is provisioned, and maintains the secure posture in runtime by programmatically mitigating risks from changes. Accurics enables organizations of all sizes to achieve cloud cyber resilience through free cloud-based and open source tools such as Terrascan™.

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27618
PUBLISHED: 2021-02-26
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denia...
CVE-2020-36079
PUBLISHED: 2021-02-26
Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder) portion of the UI. This can, for example, place a .php file in...
CVE-2021-27198
PUBLISHED: 2021-02-26
An issue was discovered in Visualware MyConnection Server through 11.0b build 5382. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installa...
CVE-2021-27803
PUBLISHED: 2021-02-26
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
CVE-2021-26562
PUBLISHED: 2021-02-26
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.