Organisations are struggling to keep up with ever-expanding cloud attack surfaces and increasing multicloud complexity, according to Orca Security.

one-third of enterprises don’t encrypt sensitive data in the cloud
Credit: Dreamstime

While most organisations list cloud security as one of their top IT priorities, they continue to ignore basic security hygiene when it comes to data in the cloud, according to Orca’s latest public cloud security report. The report revealed that 36 per cent of organisations have unencrypted sensitive data such as company secrets and personally identifiable information in their cloud assets.

The global pandemic accelerated the shift to cloud computing, as the sudden and massive move to remote work forced companies to provide employees with access to business systems from anywhere.

Gartner predicts that worldwide spending on public cloud computing services will rise 20.4 per cent to a total of $494.7 billion this year and expects it to reach nearly $600 billion in 2023.

In the rush to move IT resources to the cloud, organisations struggle to keep up with ever-expanding cloud attack surfaces and increasing multicloud complexity. The current shortage of skilled cyber security staff is further worsening the situation, the Orca report noted.

The risk in the cloud is not greater than in an on-premises environment. Rather, it is different, said Avi Shua, Orca Security’s CEO and co-founder.

“In an on-premise environment, organisations have more control over their infrastructure,” Shua said. “However, this is not necessarily good. Cloud service providers often have far more dedicated resources to ensure the security of the infrastructure than many organisations do.

“Under the shared responsibility model, organisations are still responsible for the applications and services they run in the cloud, with similar risks to on-premise environments. What makes cloud security different is the cultural change — everything is going much faster than on-premises, and there are many more managed services, which pose different security threats versus an on-premise world.”

It’s getting tough to patch all vulnerabilities

It is difficult for organisations to keep up with the number of vulnerabilities being discovered each day. Many fall behind on patching newly discovered vulnerabilities, but some are also not addressing vulnerabilities that have been around for a long time.

Many organisations still have vulnerabilities that were disclosed more than 10 years ago, the report revealed. Severe vulnerabilities need to be addressed as quickly as possible as these account for 78 per cent of initial attack vectors, the report said.

“The reason why some organisations still have these old vulnerabilities is because they often have outdated applications that don’t support updated operating systems, so they cannot be patched easily,” Shua said.

Shua recommends that if this is the case, organisations must try to segment these systems from other assets to prevent any exposure to the rest of the environment.

“Another reason is that sometimes team responsibilities are unclear and issues are not properly assigned, leaving vulnerabilities to remain unpatched for long periods of time,” Shua added.

She says it is however important to understand that it is close to impossible to fix all vulnerabilities, and therefore it is essential for teams to remediate strategically by knowing which vulnerabilities pose the greatest danger to a company’s most sensitive and valuable information — what she calls a company’s crown jewels.

Log4Shell remains problematic

In December 2021, a serious zero-day vulnerability in Apache Log4j, was discovered. The vulnerability was easy to exploit, allowed unauthenticated remote code execution, and was dubbed “Log4Shell.”

There was no immediate patch available when the vulnerability was originally published. Open source developers hastily released several patches, which in turn introduced new vulnerabilities, until the issue was finally resolved after the fourth patch.

However, organisations still suffer the aftermath of the vulnerability, the report said. Almost five per cent of workload assets still have at least one of the Log4j vulnerabilities, of which 10.5 per cent are internet-facing.

Thirty per cent of the Log4j vulnerabilities discovered between December 2021 and January 2022 remain unresolved, of which 6.2 per cent potentially expose personally identifiable information.

There are also still quite a few Log4j vulnerabilities found oncontainers and container images. Images are particularly problematic since these vulnerabilities will be reproduced each time the image is used, the report noted.

Neglected assets act as front door for attackers

Neglected assets often act as a front door for attackers to break in. A neglected asset is a cloud asset that uses an unsupported operating system such as CentOS 6, Linux 32-bit, or Windows Server 2012, or has remained unpatched for 180 days or more.

“The reason why some organisations still have neglected assets is because they have old applications that don’t support updated operating systems” the report said.

On average, according to Orca, organisations have 11 per cent of their assets in a neglected security state, and 10 per cent of organisations have more than 30 per cent of their workloads in a neglected security state; 19 per cent of identified attack paths use neglected assets as an initial access attack vector; and out of all neglected assets, the majority are containers and nearly half are running unsupported versions of Alpine operating system.

Vulnerabilities arise from misconfiguration of keys

Gartner predicts that through 2025, more than 99 per cent of cloud breaches will originate from preventable misconfigurations or mistakes by end users.

The AWS Key Management Service (KMS) allows administrators to create, delete and control keys that encrypt data stored in AWS databases and products. Eight per cent of organisations have configured a KMS key with public access policy. “This is particularly dangerous since it creates an easy attack vector for a malicious party,” the report said.

Furthermore, 99 per cent organisations use at least one default KMS key.

Seventy-nine per cent of organisations have at least one access key older than 90 days. It is best practice to configure access keys older than 90 days to be rotated, to limit the time a compromised set ofIAM (identity and access management) access keys could potentially provide access to AWS accounts, the report said.

About 51 per cent of organisations have a Google Storage bucket without uniform bucket-level access. “If access levels are not set uniformly, this means that an attacker could move laterally and obtain a higher access level, permission can escalate their privileges by creating or updating an inline policy for a role that they have access to,” the report noted.

Companies need to protect  their crown jewels

A company’s crown jewels are its most valuable assets. They include personally identifiable information, customer and prospect databases, employee and HR information, corporate financials, intellectual property, and production servers. Crown jewels should be protected using the highest security standards and receive the highest priority when deciding which risks need to be remediated first.

About 36 per cent of organisations have sensitive data such as secrets and personally identifiable information in files, storage buckets, containers, and serverless environments.

“Encrypting sensitive data greatly reduces the likelihood that it is unintentionally exposed and can nullify the impact of a breach if the encryption remains unbroken,” the report said.

Furthermore, 35 per cent of organisations have at least one internet facing workload with sensitive information in a Git repository. “Cyber criminals can easily extract this information and use it to compromise your systems.” according to the Orca report.

Keyword: One-third of enterprises don’t encrypt sensitive data in the cloud

TECH'S NEWS RELATED

Russia blocks SoundCloud citing spread of "false information": report

IANS SoundCloud. Russia has restricted access to music-streaming app SoundCloud citing “false information” about what Moscow calls a “special military operation” in Ukraine, Interfax news agency reported on Sunday, quoting communications watchdog Roskomnadzor (RKN).Russia has battled big tech companies to control the flow of information after it sent troops to ...

View more: Russia blocks SoundCloud citing spread of "false information": report

Man City vs. Man United Livestream: How to Watch Premier League Soccer From Anywhere

Looking to catch the Manchester derby? Here's everything you need to watch Sunday's Premier League game.

View more: Man City vs. Man United Livestream: How to Watch Premier League Soccer From Anywhere

Dimensity 9000+ beats all Snapdragon processors on AnTuTu

AnTuTu most powerful smartphones: Dimensity 9000+ beats all Snapdragon 8+ Gen 1 smartphones Gizchina News of the week AnTuTu has today published the list of the most powerful Android smartphones for September in China. The Dimensity 9000+ SoC outperformed all Snapdragon processors and topped the ranking. So, according to ...

View more: Dimensity 9000+ beats all Snapdragon processors on AnTuTu

Chinese billionaire Richard Liu settles civil suit over alleged rape in US a day before the JD.com founder was to face trial

Chinese tech billionaire Richard Liu Qiangdong has reached a settlement with former University of Minnesota student Liu Jingyao, who accused the JD.com founder of rape in 2018, a day before a jury trial was to start in Hennepin County District Court in the state of Minnesota. “The incident between ...

View more: Chinese billionaire Richard Liu settles civil suit over alleged rape in US a day before the JD.com founder was to face trial

JD.com Founder Richard Liu Settles Rape Allegation Ahead of Trial

The 2018 Rape Case Allegation JD.com After the Incident Richard Liu, the founder of the JD.com e-commerce company, arranged a settlement with Liu Jingyao, the Minnesota college student who accused the Chinese billionaire of rape back in 2018. The settlement happened less than 48 hours before the scheduled US ...

View more: JD.com Founder Richard Liu Settles Rape Allegation Ahead of Trial

Nobel season is here: 5 things to know about the prizes

A national library employee shows the gold Nobel Prize medal awarded to the late novelist Gabriel Garcia Marquez, in Bogota, Colombia. The beginning of October means Nobel Prize season. That is when committees in Stockholm and Oslo announce the winners of what many consider the most prestigious awards in ...

View more: Nobel season is here: 5 things to know about the prizes

Tesla robot walks, waves, but doesn't show off complex tasks

Tesla Motors, Inc. CEO Elon Musk speaks at the Paris Pantheon Sorbonne University as part of the COP21, United Nations Climate Change Conference in Paris on Dec. 2, 2015. An early prototype of Tesla Inc.’s proposed Optimus humanoid robot slowly and awkwardly walked onto a stage, turned, and waved ...

View more: Tesla robot walks, waves, but doesn't show off complex tasks

Firefly Aerospace reaches orbit with new Alpha rocket

A new aerospace company reached orbit with its second rocket launch and deployed multiple small satellites on Saturday. Firefly Aerospace’s Alpha rocket lifted off from Vandenberg Space Force Base, California, in early morning darkness and arced over the Pacific. “100% mission success,” Firefly tweeted later. A day earlier, an attempt ...

View more: Firefly Aerospace reaches orbit with new Alpha rocket

Powerful earthquake shakes Indonesia's Sumatra, kills 1

Behind C919: China's path to first self-developed large passenger aircraft

iPhone 14 Pro has the best selfie camera on a smartphone, according to DxOMark

MediaTek, Invendis join hands for 5G, Wi-Fi router solutions

Google Pixel 7, Pixel 7 Pro pre-orders in India kicks off on October 6

China's Shenzhou-13 taikonauts to conduct second spacewalk on Sunday

Exclusive interview: China's C919 features safety, comfort, efficiency

Samsung launches Galaxy Z Flip 4 in blue in India

Hong Kong start-up archiREEF wants to commercialise 3D-printed tiles, restore corals around the world

India launches 5G services at last

iPhone 6 added to list of vintage products by Apple

People still don't know what metaverse is all about: Tim Cook

OTHER TECH NEWS

;