Headline
Security Turbulence in the Cloud: Survey Says…
Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.
Exclusive Threatpost research examines organizations’ top cloud security concerns, attitudes towards zero-trust and DevSecOps.
Over the past 15 years, the cloud has blown business into a new age of networking, for solid reasons: Small businesses can get online fast, using the same tools as the big companies; large companies can scale up and down to match demand; and organizations of all sizes can quickly react to business fluctuations in terms of allocating resources and onboarding applications.
Click to Expand
As well, of course, over the past few years, the pandemic has made cloud resources crucial when it comes to supporting remote workforces.
[Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story]
However, the mad dash to set up shop in the cloud can sometimes lead to stormy weather: There are, after all, beaucoup security challenges hidden behind the cloud’s promise of blue skies. As Prevailion CTO Nate Warfield enumerates, cloud marketplaces “are rife with pre-built virtual machine (VM) images containing unpatched vulnerabilities, overly permissive firewall settings, and even malware and coin miners. Cloud providers don’t take a proactive stance towards breach and compromise monitoring and, in many cases, won’t even pass on notifications to their customers which they have received from external researchers.”
Click to Expand
In order to put some quantifiable numbers around how organizations are faring in their journeys to the cloud, Threatpost polled 400+ readers. Topics included what security dangers respondents have encountered, and which ones they most fear they’ll run into. We also asked what security tools they plan to implement in the coming months.
When asked how confident respondents are that their organization had implemented sufficient cloud security, the majority felt bullish (68 percent). Worryingly, almost a quarter (24 percent) said they had no confidence in their organization’s cloud security. Just 8 percent said they feel “highly” confident.
Lions & Tigers & Shared
Click to Expand
Responsibility
Warfield’s list of challenges is just the tip of the iceberg, according to the poll results. There are also data-privacy and regulatory issues; the basic challenges of implementing cloud, such as staff shortages; the threat of cyberattack and data exposure; and plain old confusion.
Not everyone is sure who’s responsible for what when it comes to the sharedresponsibility model for public cloud deployments. And, a recurring question is what zero-access architecture for access management entails.
Just over half said they have embraced the shared-responsibility model for public cloud deployments (59 percent), but a quarter said they “don’t really understand it” and 12 percent said they did not. When asked if they’ve implemented a zero-trust architecture for access management, 53 percent said, “not yet but plan to,” and 17 percent said it confused them. Just 23 percent said yes. Six percent said absolutely not.
The notion of “DevSecOps,” where security is built into an organization’s cloudnative application lifecycle management, has more support: 71 percent noted that they’ve either adopted the strategy or soon plan to; but a fifth (21 percent) said they didn’t fully grasp what it means.
Meanwhile, organizations perceive there to be a lot of security pitfalls in the cloud. In its poll, Threatpost asked about a number of them, from API vulnerabilities to stolen cloud credentials, and container bugs to a smorgasbord of malware, including ransomware and cryptomining malware.
Security Pitfall No. 1: Misconfigurations
The biggest number of respondents – 27 percent – cited misconfigurations and data exposure as the biggest threat to their cloud deployments.
Click to Expand
While many respondents reported that they’ve either experienced a cyberattack on their cloud assets in the past 12 months (18 percent) or that they aren’t exactly sure (2 percent), an even larger portion – 38 percent – reported having experienced a data-exposure incident due to misconfiguration.
Poll respondents’ takes on the issues confirm what’s been a constant over the past few years; namely, misconfigured cloud deployments have been, and continue to be, rampant. In a 2020 survey of 2,064 Google Cloud buckets by Comparitech, 6 percent of all Google Cloud buckets were estimated to be misconfigured and left open to the public internet, for anyone to access their highly sensitive content.
Respondents ranked their other most-worrying cloud security threats as account compromise and stolen cloud credentials, (20 percent); API vulnerabilities (13 percent); advanced attacks against cloud providers (11 percent); ransomware (9 percent); cyberespionage/data theft (6 percent); distributed denial of service (DDoS, 5 percent); other malware (3 percent); and cryptojacking (2 percent).
How You’re Protecting the Cloud
Fortunately, efforts to secure the cloud aren’t static. Nor are the technologies. When asked what security tools they’re planning on implementing in the next 12 months, poll respondents listed a host of technologies that will hopefully fill in whatever holes they have in their cybersecurity umbrellas.
For better or worse, multifactor authentication (MFA) on all accounts was cited as the top tool already in use by the most respondents, at 12 percent. It’s important however not to fall into a false sense of security: In January 2021, the feds warned that cloud attacks were bypassing weaker two-factor authentication, such as schemes that use a code sent to a mobile phone via SMS.
Click to Expand
In terms of the top security tools that poll respondents plan to invest in, encryption for data at rest and data in transit (cited by 11 percent) took the lead, followed by identity access management (11 percent) and the adoption of self-managed security controls offered by cloud providers (9 percent).
The top most-cited planned upgrade to cloud security in the poll was user-behavior analytics: i.e., the use of artificial intelligence and machine learning to analyze large datasets and identify patterns that signify security breaches. This can be used to spot anomalous behavior that may indicate data exfiltration or other malicious activity that might otherwise slip by security tools and personnel. In all, 9 percent of respondents said their organizations have behavior analytics in the works in the coming year.
Click to Expand
The next set of top cloud-security tools on the to-do list were cloudconfiguration monitoring tools (cited by 8 percent), a single console to manage security across multiple clouds (7.5 percent), and MFA on all accounts (7.5 percent). Next up were risk assessment and auditing (7.5 percent), policybased data loss prevention (DLP) (7 percent) and data activity monitoring (7 percent).
What’s Gumming Up the Works
Some security tools are in place, while more are being implemented. But all of this work to secure the cloud is, well, work, and it often requires more hands than are available. As noted earlier, respondents cited a lack of skilled staff as the biggest challenge when it comes to securing the cloud, (19 percent).
Indeed, the (ISC)²’s 2021 Cybersecurity Workforce Study found that there are 2.72 million open cybersecurity positions globally, and that the worldwide cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. Out of those, cloud management and cybersecurity ranked highest when it comes to the biggest talent gaps that companies need to fill.
The next biggest challenge facing organizations is a lack of visibility into what data is held within cloud applications, cited by 13 percent. That’s followed by insufficient identity and access management controls at 11 percent.
It’s clear that cloud security is increasingly top-of-mind at organizations, which have big plans for addressing it. But it’s a proverbial journey, not a sprint. As Prevailion’s Warfield noted, it’s crucial to take it seriously, and the time is now to start implementing controls.
“Cloud networking isn’t inherently insecure,” he said. “But as the world shifts to a cloud-centric and hybrid cloud environment, particularly for remote workforces, organizations need to recognize that their cloud-security strategy, policies, controls and processes must be as robust as in a classic onpremises environment.”
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook****, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.
Related news
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.
A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.
A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early.
A NULL pointer dereference flaw was found in pesign's cms_set_pw_data() function of the cms_common.c file. The function fails to handle the NULL pwdata invocation from daemon.c, which leads to an explicit NULL dereference and crash on all attempts to daemonize pesign.
IBM UrbanCode Deploy (UCD) 7.1.1.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` ...
A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".
A vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Home</title><script>alert("home")</script><title> leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used.
Buffer Over-read in GitHub repository bfabiszewski/libmobi prior to 0.11. This vulnerability is capable of arbitrary code execution.
SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in GitHub repository rtxteam/rtx prior to checkpoint_2022-04-20 . This vulnerability is critical as it can lead to remote code execution and thus complete server takeover.
FacturaScripts prior to version 2022.06 is vulnerable to stored cross-site scripting via upload plugin functionality in zip format.
Solar appScreener through 3.10.4, when a valid license is not present, allows XXE and SSRF attacks via a crafted XML document.
zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request URI includes logic that introspects HTTP request headers that are specific to a given server-side URL rewrite mechanism. When these headers are present on systems not running the specific URL rewriting mechanism, the logic would still trigger, allowing a malicious client or proxy to emulate the headers to request arbitrary content.
### Impact Multiple tokens for password reset could be requested. All tokens could be used to change the password. This makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused password reset token in the emails within the time frame of two hours. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
### Impact The CSRF tokens were not renewed after login and logout. An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. ### Acknowledgement Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.
### Impact Not-stored XSS in storefront. Request parameter were directly assigned to the template, so that malicious code could be send via an URL. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 224440.
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223720.
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.
IBM InfoSphere Information Server 11.7 could allow an authenticated user to view information of higher privileged users and groups due to a privilege escalation vulnerability. IBM X-Force ID: 224426.
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211408.
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).
IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 218370.
Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.
A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php.
NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where insufficient validation of untrusted data may allow a local attacker to cause a memory buffer overflow, which may lead to code execution, loss of integrity, limited denial of service, and some impact to confidentiality.
IBM UrbanCode Deploy (UCD) 7.2.2.1 could allow an authenticated user with special permissions to obtain elevated privileges due to improper handling of permissions. IBM X-Force ID: 217955.
Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share.