According to Tenable's telemetry report to its cloud security customers, 74% of customers have publicly exposed storage or other misconfigurations, giving cybercriminals an opportunity.
According to customer telemetry research released this week by cloud security vendor Tenable, 38% of enterprises had at least one cloud workload in a critical state of vulnerability in the first half of this year, with high privilege and public exposure.
According to the report, this "toxic cloud triangle" creates a high-risk attack path, making these workloads the preferred target for bad actors.
The report further states that "more than a third of businesses are likely to be the subject of future headlines as a result." ”
Even if there are only one or two risk factors in a workload, the impact on an organization's security can be significant, according to the study.
Jeremy Roberts, senior research director at Info-Tech Research Group (not related to the study), said end-user businesses are also responsible for this process.
"The cloud, like any other tool, is how you use it," he says. Many cloud security breaches are not caused by vendors, but are caused by poor management, like the 2019 Capital One security incident. Permissions should be reviewed regularly, Zero Trust principles should be applied, and security baselines should be standardized using centralized management, such as control towers. ”
Vulnerability issues
Overall, the study states that 74% of organizations have publicly exposed storage, some of which contains sensitive data, and that this exposure is often caused by unnecessary or excessive permissions. As businesses accelerate their use of cloud-native applications, the amount of sensitive data they store, including customer and employee information and commercial intellectual property, increases, and hackers target this data stored in the cloud. As a result, many ransomware attacks targeting cloud storage during the reporting period focused on public cloud resources that had excessive access that could have been avoided.
Telemetry data from exposed storage shows that 39% of enterprises have public buckets, 29% have overprivileged public or private buckets, and 6% have overprivileged public buckets.
However, storage issues aren't the only one, with a worrying 84% of organizations having unused or long-standing access keys that have critical or highly severe excessive privileges. Research notes that these issues play a significant role in many identity-based attacks and data breaches. The study cites examples of the MGM Resorts data breach, the Microsoft email hack, and FBot malware that persisted and spread across AWS through AWS's IAM (Identity and Access Management) users.
"At the heart of IAM risk is the access key and the permissions assigned to it, which, when combined, is the equivalent of getting the 'key' to the data stored in the cloud," the study says. ”
In addition, 23% of the major cloud service providers (Amazon Web Services, Google Cloud Platform, and Microsoft Azure) have critical or highly severe excessive privileges (both human and non-human), which is undoubtedly a recipe for disaster.
根据Info-Tech Research Group的首席顾问Scott Young的说法,这种情况部分归因于人性。
"Granting a high percentage of critical permissions to human accounts reflects the human tendency to choose the path of least resistance, however, there is a reason for setting these resistances," Young said. "Seeking less friction when using a system can have huge potential consequences when an account is breached." ”
The study also found that a whopping 78% of enterprises have publicly accessible Kubernetes API servers, with 41% allowing inbound internet access, which the study describes as "concerning," in addition, 58% of enterprises allow certain users to have unfettered control over their Kubernetes environment, and 44% run containers in privileged mode, both of which significantly increase security risks.
On top of these misconfigurations, which make the system inherently vulnerable, more than 80% of workloads still have critical CVEs (e.g., CVE-2024-21626) that are not fixed, which is a serious container escape vulnerability, although patches are available.
Mitigations
Tenable proposes a range of mitigation strategies to help organizations mitigate risk.
Build a context-driven security culture: Consolidate identity, vulnerability, misconfiguration, and data risk information into a unified tool for accurate visualization, context, and prioritization. "Not all risks are created equal – identifying toxic combinations can significantly reduce risk."
Tightly manage Kubernetes/container access: Adhere to pod security standards, including restricting privileged containers and enforcing access controls. Restrict inbound access, restrict inbound access to the Kubernetes API server, and ensure that the Kubelet configuration disables anonymous authentication, in addition, review the cluster administrator role binding to confirm if it is really necessary, and if not, bind the user to a role with lower privileges.
Credential and rights management: Rotate credentials regularly, avoid long-standing access keys, and implement instant access mechanisms. Regularly review and adjust permissions for human and non-human identities to adhere to the principle of least privilege.
Prioritize vulnerabilities: Focus remediation efforts, such as patching, on high-risk vulnerabilities, especially those with high VPR scores.
Reduce exposure: Review any publicly exposed assets to determine if exposure is necessary and ensure that confidential information or critical infrastructure is not jeopardized and patched in a timely manner.
Discussion on Governance, Risk and Compliance (GRC).
The key to preventing problems, Young points out, is not a new concept.
"At a high level, the structure of a hacker hasn't changed, and the attacker needs to find you, get into the system through an entry point, and move laterally to find something valuable," he said. He added, "Tenable's report shows that, overall, we're slow to secure entry points and secure and control accounts to limit lateral movement, and the cloud environment makes us more discoverable." The number of these issues will not be significantly reduced without significantly increasing the maturity of security practices, refining processes, conducting thorough audits, and combining automation and orchestration to improve speed and consistency. In short, this report strongly supports a well-run governance, risk, and compliance (GRC) practice. ”