Among the most significant data breaches to have occurred in recent times, a high proportion can be linked to a failure by organisations to protect cloud infrastructure and services.
In this latest article, Michael Cowley, Head of Pre-Sales at Redscan, outlines 12 key learning points that security professionals can take away from the latest breaches to minimise cloud risks.
1. Avoid leaving storage containers and databases exposed
Misconfigured containers, buckets and databases are among the leading causes of cloud security breaches and there are countless examples of organisations inadvertently exposing sensitive data to the public internet. One of the most recent is a company that develops hotel reservation software exposing millions of files for over ten years!
Attackers routinely scan for cloud misconfigurations such as storage that lacks authentication protocols. In 2020, it was reported that an attacker had attempted to ransom over 23,000 organisations identified as having left Mongo DB databases open.
In some cases, breaches occur because containers are spun up and forgotten about, highlighting the importance of ensuring that all assets are recorded on a central register and regularly assessed.
2. Enforce strong administrative passwords
It’s staggering just how many data breaches still occur due to organisations failing to practise one of the fundamentals of security – enforcement of strong passwords. Credential theft is a pervasive problem, with Verizon’s 2020 Data Breach Investigation Report disclosing that over 80% of hacking-related breaches involve brute force or the use of lost or stolen credentials. These risks are increased by users setting weak passwords and using them across multiple accounts.
Cloud administrators are routinely targeted by attackers and it is not uncommon to observe phishing attacks targeting high privilege users with access to infrastructure and services such as Microsoft 365.
Use of multi-factor authentication (MFA) can help to significantly reduce the risk of breaches in the event of passwords being stolen but global adoption is low. In 2020, Microsoft reported that just 11% of its customer base was using MFA.
3. Don’t rush deployments
Organisations migrating platforms and services to the cloud are often under pressure to do so quickly. In such circumstances it’s not unusual for shortcuts to be taken, particularly in relation to cyber security – something that can significantly increase the risk of data breaches.
In April 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert after observing that many organisations, in response to a huge increase in remote working, were quickly adopting Microsoft 365 and other SaaS applications without being mindful of the security implications. In the UK, the National Cyber Security Centre published similar guidance, also highlighting the need to secure RDP ports and VPN tools.
Download our free e-book to learn how to more effectively manage your organisation’s cloud security.
4. Don’t exclusively rely on cloud backups
Backing up data to the cloud is common practice but, by token of the fact that backups are connected to other systems and networks, the information they hold can also be vulnerable to compromise. Ransomware groups are known to clone and delete cloud backups to obtain additional leverage when attempting to extort money from their victims.
Because they can automatically sync files from infected devices to the cloud, services such as OneDrive and SharePoint shouldn’t be regarded as immune to attacks either.
Organisations should also learn from the experience of American drinks producer, Arizona Beverages, which was hit by ransomware in 2019, only to discover that its backup systems had not been configured correctly. This oversight is reported to have cost the company millions of dollars in lost revenue.
5. Secure and monitor APIs
Application Programming Interfaces, or APIs, are enabling cloud infrastructure and systems to be become ever more interconnected but their use can lead to breaches.
In September 2018, hackers used a vulnerability in Facebook’s Developer API to expose data relating to 30 million user accounts. In December the same year, a photo API exposure meant that 6.8 million users had their images shared with some third-party applications without their permission.
While it’s not clear if these could have been better avoided, the fact that they affected an organisation like Facebook, with its vast resources, goes to show how easily API risks can go unnoticed.
6. Don’t assume all threats originate from the outside
When people consider risks to their organisation’s security, most automatically think of external actors. However, it’s important not to overlook the risks of attacks that originate from the inside.
According to a 2020 report by the Ponemon Institute, insider attacks have increased by nearly 50% since 2018. Nearly a quarter of these are thought to be malicious, with the rest a consequence of employee errors or negligence.
One of the best-known examples of a malicious insider attack occurred in 2014 when an employee of supermarket chain, Morrisons, was discovered to have leaked the payroll data of over 100k employees. In a more recent case, a former employee of Cisco was able to gain unauthorised access to the company’s cloud infrastructure and delete over 450 virtual machines.
7. Swift threat detection and response is crucial
A large proportion of data breaches occur because organisations simply aren’t able to detect and respond to them quickly enough. A common mistake made by many is to focus solely on prevention controls and overlook the need to obtain greater visibility of threats capable of bypassing them.
There are many examples of organisations being compromised but remaining unaware of it for months or even years. One of the most high-profile of these is Marriott International, which in 2018 disclosed it had been impacted by a huge breach which affected over 500 million customers and was later discovered to have occurred in 2014.
The Marriott case is an extreme example but highlights how a few days is now all it takes for adversaries to identify and steal valuable assets. From the point of initial infection, ransomware can now achieve full domain-wide encryption in a matter of hours.
Download our free e-book to learn how to more effectively manage your organisation’s cloud security.
8. Employees remain a vital layer of defence
With attacks against cloud environments and services continuing to rise, people have a crucial role to play in helping to defend them. Technology, for all its advancements, is only part of the solution and should not be considered as a silver bullet.
According to Gartner, 95% of cloud breaches occur because of human error and, by continually training and educating employees about security best practise organisations can stand to significantly reduce this risk.
Education about the dangers of social engineering is one of the areas organisations should focus on. According to Verizon, 25% of breaches involve phishing, highlighting the need to continually educate users about the latest tactics and lures.
9. Continuously test defences
As threats evolve, history shows that organisations cannot afford to be complacent. The rapid rise in the use of cloud services and applications is creating greater potential for misconfigurations. A failure to undertake regular assessments can be dangerous.
Efforts should be taken to ensure that controls provide the level of protection and visibility expected. After serving British Airways with a record £20 million fine in relation to a data breach that led to the exposure of the personal data of over 400,000 customers and staff, the UK’s Information Commissioner’s Office chose to highlight the company’s failure to do more to mitigate the risks of an attacker being able to access its network. Its recommendations included ‘Undertaking rigorous testing, in the form of simulating a cyber-attack, on the company’s systems.’
10. Don’t be over reliant on antivirus software
By installing antivirus software, many organisations believe that they are protected against the latest malware-based threats. However, as the rise in breaches that involve the use of ransomware shows, this confidence can be misplaced. The latest malware variants are more advanced than ever and, by changing their appearance, can evade detection by traditional signature-based solutions.
As demonstrated by this Redscan case study, the ability to identify and respond to the latest polymorphic and fileless malware types now requires more advanced Next-gen AV and Endpoint Detection and Response tools.
11. Prioritise identity and access management
With more users now accessing cloud infrastructure and services remotely, controlling access and achieving visibility of requests is more important than ever. Many breaches occur because organisations aren’t able to properly authenticate users, which is a particular concern given the increase in remote working and frequency of account hijacking.
In the case of the Marriott International breach, it was discovered that an attacker had been able to compromise the account of a user with administrator privileges. Better visibility of requests made by this account would have meant that the breach was detected much sooner.
Account takeover attacks, where hackers use stolen credentials to take control of legitimate accounts and conduct masquerading, are increasingly common and, as this Business Email Compromise case study demonstrates, more sophisticated than ever.
12. Manage third party risks
Breaches that occur as a result of a third-party compromise are growing. Probably the most well-known example is an attack on US retailer, Target. This took place when a system used by the company’s HVAC contractor was utilised to gain entry to its POS environment in order to steal the credit card details of millions of customers.
A more recent example involves hackers using an internet-connected fish tank to compromise a casino. Whist these two cases sound like something out of a Hollywood movie, they are nonetheless good at highlighting the need for organisations to closely vet and manage the suppliers and technologies they use.
In seeking to improve cloud security and reduce the risk of breaches, organisations can learn a lot by heeding the lessons of others. The use of cloud infrastructure and services is creating a host of new security challenges and, without a single solution capable of comprehensively addressing them all, a multi-layered approach encompassing people, processes and technology is essential.
Traditional approaches to security, such as a prevention-only strategy, do not translate well to the cloud. To better secure cloud workloads, it’s clear that organisations also need to prioritise employee training and education, conduct regular assessments and strengthen proactive threat detection and response capabilities.
Learn how to secure cloud environments with our free e-book