In the first half of this year, 38% of organizations had at least one cloud workload that was critically vulnerable, highly privileged, and publicly exposed, according to a study of telemetry from customers of cloud security vendor Tenable released this week.
“This ‘toxic cloud triad’ creates a high-risk attack path that makes these workloads prime targets for bad actors,” the study said.
The up-shot of that is that “more than one-third of organizations could potentially land in tomorrow’s headlines,” it noted.
Even having workloads with one or two of those risk factors can have enormous security implications for an organization, the study said.
End-user organizations have their part in the blame for this, said Jeremy Roberts, senior research director at Info-Tech Research Group, and unconnected with the study.
“The cloud is a tool like any other; how you use it is what matters,” he said. “Many cloud breaches are not provider-related, but are instead due to ineffective management, like the 2019 Capital One breach. Permissions should be regularly audited, zero trust principles applied, and central management (control towers, etc.) used to standardize on a security baseline.”
The flaws
Overall, the study said, 74% of organizations had publicly exposed storage, some of which included sensitive data. The cause of this exposure was often unnecessary or excessive permissions. And, it said, “as organizations ramp up their use of cloud-native applications so, too, does the amount of sensitive data they store there increase — including customer and employee information and business IP. Hackers are motivated to get at such cloud-stored data.” Hence many of the reports of ransomware attacks targeting cloud storage during the reporting period aimed at public cloud resources with excessive access privileges and could have been prevented.
A breakdown of exposed storage telemetry revealed that 39% of organizations have public buckets, 29% have either public or private buckets with overprivileged access, and 6% have public buckets with overprivileged access.
Storage isn’t the only issue, however. A disturbing 84% of organizations have unused or longstanding access keys with critical or high severity excessive permissions, which, the study said, “have played major roles in numerous identity-based attacks and compromises.” It cited the MGM Resorts data breach, the Microsoft email hack, and the FBot malware targeting web servers, cloud services, and software-as-a-service, which achieves persistency and propagates on AWS via AWS IAM (identity and access management) users as three examples of how the keys could be abused.
“Core to IAM risks are access keys and their assigned permissions; combined, they are literally the keys to the kingdom of cloud-stored data,” it noted.
Add in the fact that 23% of cloud identities on the major hyperscalers (Amazon Web Services, Google Cloud Platform, and Microsoft Azure), both human and non-human, have critical or high severity excessive permissions, and you have a recipe for disaster.
This situation is in part down to human nature, according to Scott Young, principal advisory director at Info-Tech Research Group.
“The high percentage of critical permissions granted to human accounts reflects the natural human inclination towards the path of least resistance; unfortunately, the resistance is meant to be there for a reason,” Young said. “The desire for less friction while working on systems leads to large potential consequences when an account is compromised.”
The study also found that a whopping 78% of organizations have publicly accessible Kubernetes API servers, 41% of which allow inbound internet access, which it described as “troubling.” As well, 58% allow certain users unrestricted control over the Kubernetes environments, and 44% run containers in privileged mode, two permissions configurations that amplify security risks.
On top of all of these misconfigurations that leave installations vulnerable in themselves, over 80% of workloads have an unremediated critical CVE such as CVE-2024-21626, a severe container escape vulnerability, despite patches being available.
Mitigations
Tenable proposed a series of mitigation strategies to help organizations reduce their risks.
- Create a context-driven ethos: Bring identity, vulnerability, misconfiguration, and data risk information together in a unified tool to obtain accurate visualization, context, and prioritization around cloud security risk. “Not all risk is created equal — identifying toxic combinations can dramatically reduce risk.”
- Closely manage Kubernetes/container access: Adhere to Pod Security Standards, including limiting privileged containers and enforcing access controls. Restrict inbound access, limit inbound access to Kubernetes API servers and ensure that Kubelet configurations disable anonymous authentication. In addition, review cluster-admin cluster role bindings and see if they’re really necessary; if not, bind users to a lower privileged role.
- Credential and permissions management: “Regularly rotate credentials, avoid using long-lasting access keys, and implement Just-in-Time access mechanisms. Regularly audit and adjust permissions for human and non-human identities to adhere to the principle of least privilege.”
- Prioritize vulnerabilities: Focus remediation efforts such as patching on high-risk vulnerabilities, especially those with high VPR scores.
- Minimize exposure: Review any assets exposed publicly to determine if the exposure is needed and it doesn’t compromise confidential information or critical infrastructure. Keep up with patching.
An argument for GRC
Young noted that the key to preventing problems is not new.
“The structure of hacking attempts hasn’t changed at a high level; the bad actor needs to find you, get through an entry point, and move laterally to find something valuable,” he said. “Tenable’s report shows that in aggregate we are slow to secure our entry points and protect and control accounts to limit lateral movement, while the cloud makes us easy to find. Without a marked increase in maturing security practices, well defined processes, and thorough auditing, all coupled with automation and orchestration for speed and consistency, these numbers won’t significantly decrease. In short, this report is a strong argument for a well-run Governance, Risk, and Compliance practice.”
Source:: Network World