Global Cloud Migration: Security Lessons Not Being LearnedRisky Behavior: Just 5% of Security Rules Trigger 80% of All Alerts, Study Finds
Attackers on average have been enjoying slightly more than six days to exploit an unmitigated vulnerability before security teams resolve it, despite research continuing to demonstrate how hackers begin exploiting flaws within hours - or even minutes - of a new security alert being disclosed, researchers warned.
See Also: Cloud Identity and Access Management
That time lag between a new vulnerability coming to light and when defenders lock it down is particularly problematic in the cloud, said Palo Alto's Unit 42 threat intelligence group. In particular, Unit 42 researchers have found that threat actors are becoming more adept at exploiting not just unpatched vulnerabilities, but also more common, everyday issues such as weak credentials and lack of authentication.
Projections from Gartner estimate worldwide end-user spending on cloud computing will grow to $592 billion this year.
Even so, analysis from Unit 42 suggests important lessons about security aren't being learned, remembered and applied. According to its analysis of workloads in 210,000 cloud accounts across 1,300 organizations, three-quarters of organizations don't enforce multifactor authentication for console users. Researchers found sensitive data in 63% of publicly exposed buckets.
Another finding from the report: Just 5% of security rules trigger 80% of the alerts. "In other words, every organization has a small set of risky behaviors that are repeatedly observed in their cloud workloads," Palo Alto wrote.
Researchers attribute some of that recurrence to IT and security teams' repeat reliance on ready-to-use templates and default configurations, via which basic errors or problems can be compounded. "Most organizations repeatedly make the same mistakes, such as unrestricted firewall policies, exposed databases and unenforced MFA, all of which likely originate from an isolated number of engineers and IaC templates," the report says, referring to infrastructure as code.
Unpatched vulnerabilities can give attackers a straightforward tactic for gaining initial access to a victim organization's internal IT environment. Nearly two-thirds of the codebases in production have unpatched vulnerabilities rated as being either high or critical in severity, which can facilitate attackers remotely executing malicious code of their choosing in the environment.
"New vulnerabilities can crop up at any time, and a single vulnerability can be propagated to multitudes of cloud workloads due to software dependency," Unit 42's report says. "This underscores the fact that no matter how secure the underlying cloud infrastructure is, vulnerable applications in the cloud open up potential attack vectors."