Cloud Misconfiguration Mishaps Businesses Must Watch

  /     /     /  
Publicated : 23/11/2024   Category : security


Cloud Misconfiguration Mishaps Businesses Must Watch


Cloud security experts explain which misconfigurations are most common and highlight other areas of the cloud likely to threaten businesses.



IT security teams are well aware of the dangers of cloud misconfigurations. Poorly configured cloud infrastructure, applications, and storage have proved to be a major threat as attackers capitalize on an opportunity to sneak into enterprise environments and steal information or move laterally.
Misconfigurations have only grown more common amid the COVID-19 pandemic and a global rush to shift organizations into fully virtualized workforces. The accelerated jump to the cloud has led to careless mistakes and, consequently, opportunistic attacks to take advantage of them.
You get this combination of cloud security issues that are primarily the users of the cloud – not the cloud providers themselves – misconfiguring, embedding credentials inappropriately, leaving passwords, not hardening their cloud because theyre moving so quickly … thats led to several compromises, explains Jim Reavis, co-founder and CEO of the Cloud Security Alliance.
Organizations hastily moving to the cloud often lack a strategic view and fail to consider factors such as threats that could put them at risk and high-priority security functionalities, Reavis says. They forget to lock down storage buckets and databases, leave credentials viewable in Github, and fail to patch or maintain good security hygiene in virtual machines and containers, he adds.
Out of this, you give the attackers an ability to really be able to do some pretty quick scanning of cloud environments, finding several things that are insecure, and then being able to go do a deeper dive hack, Reavis continues. Configuration management can help prevent these threats.
IT and security teams are discovering several unexpected gaps resulting from the rapid transition to cloud. Now they have to consider tactical solutions and a more strategic architectural shift. Many have accepted the operational changes resulting from COVID-19 are
here to stay
. As a result, they should consider how to better strengthen their cloud security. 
A lot of it goes back to the shared responsibility model and understanding that this is a combined responsibility for us to secure the cloud, Reavis says.
When dealing with products like infrastructure-as-a-service, its incumbent on cloud consumers to understand theyre given a blank slate. Its on them to worry about encryption, identity management, and other parts of their cloud environments. 
[Check out Jim Reavis upcoming talk, Practical Solutions for Securing Your Cloud Services, on Oct. 5 during the
Cybersecurity Crash Course
at next weeks Interop Digital]
Misconfigurations can help attackers get into your cloud environment and achieve their goals once inside, explains Josh Stella, co-founder and CTO at Fugue Security. What they care about is exploiting misconfigurations, typically in services like identity and access management (IAM). These credentials can help them navigate the network and quietly exfiltrate data theyre looking for.
The blast radius of these is devastation, he says. You can have a very small crack in your defenses, and if its cloud misconfiguration-related, that can mean in five minutes all your data is gone.
Stella points to a few examples of places where security teams can double-check their assets for configuration mistakes. The first step is to understand your security posture: Know where you stand and learn where errors are. Businesses will inevitably slip up when configuring the cloud.
I guarantee you mistakes have been made because its just too hard to not, he says.
A common mistake is placing too much trust in the block public access feature for AWS S3 buckets. Many people think when they turn this feature on, theyre protected from attackers. But while its a good step to take, its vastly incomplete, Stella says. An organization can have an exception to block public access that could expose its private information to the Internet.
Similarly, Stella says he often sees the issue of overly permissive IAM roles. Amazons Elastic Compute Cloud (EC2) has many possible permissions in IAM; when confronted with all these choices, people often choose big chunks, he explains. The problem is, these permissions are all very detailed and may be granting a level of access that someone shouldnt necessarily have.
Stella also urges organizations to ensure they limit the ability of their cloud infrastructure to list and describe other parts of their cloud infrastructure. Security admins often think having list permissions is safe; this capability lists the contents of their EC2 fleet or containers, or lists data storage service options, buckets, and other objects.
These are extremely dangerous things to leave on because hackers first, and often most difficult, job is discovery, Stella explains. If you give them a map to your safe, thats a bad idea. They can probably break into your safe. Security teams should limit the ability of their cloud infrastructure to know about the other cloud infrastructure theyre running, he says.
In his upcoming Interop Digital talk,
Simulating Real-Time Cloud Misconfiguration Attacks to Improve Cloud Security
, Stella will simulate an attack against his own infrastructure and, in doing so, demonstrate how these small, simple mistakes can have major consequences. 
Its really important to view your own infrastructure from the perspective of someone who is going to [venture] into it and do bad things, he says. Businesses can put bars on their front windows and lock the doors, but attackers will find a small open basement window to sneak in.
What you should be doing – what everyone should be doing – is not sleeping well until you find some of those because theyre there, Stella adds. You have to think that way.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cloud Misconfiguration Mishaps Businesses Must Watch