Study finds misconfigured cloud storage services in 93% of cloud deployments analyzed

Some of the biggest breaches of 2019 were traced back to problems related to the cloud, and the number of hacks will only increase now that more organizations are going digital, according to cloud security company Accurics.

In its Summer 2020 edition of the “Accurics State of DevSecOps” report, the company’s researchers explain the most common security issues they see and sketch out some ways enterprises can go about addressing them. 

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

The study found that misconfigured cloud storage services were increasingly commonplace in 93% of cloud deployments that were analyzed. Many of the deployments the researchers examined had at least one network exposure in which a security group was left wide open. These two problems alone have led to nearly 200 breaches that have given attackers access to 30 billion records over the past two years, the report said.

“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fueling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organizations,” said Accurics co-founder and CTO Om Moolchandani. 

“As cloud infrastructure becomes increasingly programmable, we believe that the most effective defense is to codify security into development pipelines and enforce it throughout the lifecycle of the infrastructure. The receptiveness of the developer community toward assuming more security responsibility has been encouraging and a step in the right direction.”

SEE: Top cloud providers in 2020: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players (TechRepublic)

Accurics researchers found that many of the world’s most damaging breaches could be sourced back to hardcoded private keys, which were found in 72% of deployments. Their findings indicate that one in two deployments had unprotected credentials stored in container configuration files, and these keys and credentials could give attackers access to sensitive cloud resources.

Over the last two years there have been dozens of cloud-related breaches. The study cites breaches at companies like Imperva, Capital One and CenturyLink as well as at least eight dating apps, exposing more than 845 GB of information. Other more recent cases, like fitness brand V Shred and Indian payment application Bharat Interface for Money exposed hundreds of gigabytes of financial information to attackers. 

The study breaks down the most common cloud security issues into three buckets. One involved hardcoded keys, which at times have high privileges that when breached can expose all of the resources associated with them. 

The second relates to overly permissive Identity and Access Management (IAM) policies, which may seem necessary in certain situations but ended up causing unintended consequences. 

“While there might have been legitimate reasons for the elevated privileges for a particular cloud resource, most organizations failed to assess the downstream impact of the elevated privileges on other resources that were using the policies,” the report said. 

“In 89% of deployments analyzed, the policies were being used by one or more resources that are highly sensitive; to remediate the issue, the privileges should not be increased or a separate IAM policy must be applied to those resources.”

The third most common problem was sourced back to network exposures resulting from misconfigured routing rules. 

The report found that sensitive resources like databases were hosted in private subnets that were exposed to the internet due to routes that were created between the public and private subnets to enable communication.

“In 100% of deployments analyzed, a route existed that exposed the private subnet to the internet. This is particularly challenging for organizations to detect with simple policy-based checks which only detect if a subnet is exposed to the internet but do not assess if the subnet contains highly sensitive resources such as databases,” the study added.

SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)

All three of these problems created their own “breach paths” that played a role in the attacks on CenturyLink, Imperva, and Capital One. The CenturyLink breach led to the exposure of 2.8 million customer records, including names, email addresses, phone numbers, home addresses, and CenturyLink account numbers.

A cloud network misconfiguration exposed a MongoDB database, allowing a non-admin account with overly permissive IAM policies to access it. The database was not encrypted as well, making it even easier for attackers to get their hands on sensitive information, and the study notes that the company went 10 months before even realizing the breach had happened. 

In August 2019, Imperva went through something similar when a network misconfiguration gave hackers access to emails, hashed and salted passwords, and some customers’ API keys and TLS keys.

“An analysis of the breach revealed that a test cloud environment was created and a compute resource was misconfigured which exposed it to the internet (network misconfiguration). That compute instance contained a hardcoded API key which was discovered by the attackers and used to access the database,” the study said. “The API and TLS keys were not hashed (best practice violation) which ultimately put Imperva’s customers at risk. This breach also went undetected for approximately 10 months.”

The study also does a deep dive into the massive Capital One breach in July 2019 that made headlines around the world. More than 100 million people in the United States and another six million people in Canada were affected by the data exposures, which included 140,000 Social Security Numbers, 80,000 bank account numbers on U.S. consumers, and one million Canadian Social Insurance Numbers.

According to Accurics researchers, an FBI investigation later revealed that cybercriminals were able to gain access to AWS access keys that were associated with an IAM role with excessive permissions. Like CenturyLink, the data was not encrypted, making it even easier for the attacker.

“The adoption of cloud native infrastructure such as serverless, containers, and service mesh are enabling organizations to deliver new innovations to market. Unfortunately, over 30 billion records have been exposed as a result of cloud infrastructure misconfigurations over the last two years, and the velocity of cloud breaches continue to increase,” Moolchandani said in the report. 

“It is now more important than ever to understand cloud infrastructure configuration practices that are creating exposures.”

Also see