On 5th February, Unit 42 (the Palo Alto Networks threat intelligence team) released the Spring 2020 edition of its Cloud Threat Report, which aims to uncover where cloud vulnerabilities are surfacing in the threat landscape among the widespread shift to cloud infrastructure.
Over the last 18 months, the Unit 42 team witnessed a radical shift in how DevOps teams are building their cloud infrastructure. Organizations are rapidly adopting infrastructure as code (IaC) as they attempt to automate more of their build processes in the cloud. When teams move to IaC, this means they are avoiding the manual creation and configuration of infrastructure in favor of writing code. Although IaC is not new, many organizations are adopting it for the first time—which means new risks.
Some key findings include:
Nearly 200,000 insecure templates
Researchers found an astonishing number of templates with high and medium severity vulnerabilities, yet it only takes one such misconfiguration to compromise an entire cloud environment. Just as when you forget to lock your car or leave a window open, an attacker can use these mis-configurations to weave around defenses. This high number explains why, in a previous report, we found that 65% of cloud incidents were due to customer misconfigurations. Without secure IaC templates from the start, cloud environments are ripe for attack.
43% of cloud databases are not encrypted
Unencrypted data is like having a house with glass walls; someone can walk by and see exactly what is happening inside. Keeping data encrypted prevents attackers from reading the information stored. Encryption of data is also a requirement of many compliance standards, such as PCI and HIPAA. The recent breaches of Vistaprint and MoviePass highlight the importance of having encrypted databases.
60% of cloud storage services have logging disabled
A business would never tolerate having over half of its warehouses not keeping a logbook nor would they omit security cameras on doorways, as that would make it impossible to track who has accessed the facility. When storage logging is disabled, malicious actors from CloudHopper to Fancy Bear could enter the storage system and no one would ever know. Storage logging is critical when attempting to determine the scale of the damage in such cloud incidents as the U.S. Voter Records leak or the National Credit Federation data leak.
76% of cloud workloads expose SSH (port 22)
Exposing SSH servers to the entire internet is a risky practice. Attackers actively target SSH services as they provide remote access to cloud environments. Security teams should focus on moving away from trust-based access models like accounts and passwords toward those that embody the Zero Trust approach of “never trust, always verify.” The fact this service’s exposure is on an upward trend is concerning.
69% of organizations expose RDP (port 3389)
Pick your poison: RDP or SSH. When publicly exposed, either of these services allows attackers to knock on your front door when they shouldn’t even know it’s there. Researchers recommend strongly against directly exposing RDP to the public internet. Many alternatives now exist, such as Azure® Bastion, which is a PaaS service offered by Microsoft. The alarming upward trend is something to watch closely between reports.
27% of organizations use outdated versions of Transport Layer Security (TLS)
TLS v1.1 was abandoned in 2008. In addition to violating compliance requirements, such as PCI, organizations are putting their customers’ data at risk. Having this number on a downward trend is good news for customer security and privacy