In the push to move resources to the cloud, many organizations are struggling to keep up with ever-expanding cloud attack surfaces and increasing multi-cloud complexity, a new report from Orca Security found.
One of the study’s key findings is that the average attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization for ransom.
Billions of Cloud Assets Collected
To compile the report, Orca researchers analyzed cloud workload and configuration data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform from January 1, 2022 until July 1, 2022. The report identifies where critical security gaps are still being found and provides recommendations on what steps organizations can take to reduce their attack surface and improve cloud security postures.
Here are key findings:
- Crown jewels are dangerously within reach. The average attack path only needs three steps to reach a crown jewel asset, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
- Vulnerabilities are the top initial attack vector. 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, highlighting that organizations need to prioritize vulnerability patching even more.
- Basic security practices are not being followed. Many basic security measures such as Multi-Factor Authentication (MFA), least-privilege permissions, encryption, strong passwords, and port security are still not being applied consistently. For example, 42% granted administrative permissions to more than 50% of the organization’s users, 71% use the default service account in Google Cloud, and 7% have Internet-facing neglected assets (i.e. unsupported operating system or unpatched for 180-plus days) with open ports 80, 443, 8080, 22, 3389 or 5900.
- Cloud-native services are being overlooked. Even though cloud-native services are easily spun up, they still require maintenance and proper configuration. Correspondingly, 69% have at least one serverless function exposing secrets in the environment variable, 70% have a Kubernetes API server that is publicly accessible, and 16% of containers are in a neglected state (i.e. unsupported operating system or unpatched for 180+ days).
Understanding Risk Priorities
Avi Shua, Orca chief executive and co-founder, stressed the importance of understanding and prioritizing public cloud-related risks:
“The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organization’s workloads, configurations and identities in the cloud. It is important to remember, however, that organizations can never fix all risks in their environment. They simply don’t have the manpower to do this. Instead, organizations should work strategically and ensure that the risks that endanger the organization’s most critical assets are always addressed first.”