Cloud computing has evolved over the years from a luxury to a necessity. Every major business and yes, even the United States government is active on the cloud. But security pitfalls of on-premises have made their way onto the cloud, too: vulnerabilities, misconfigurations, and lack of patching.
According to research analysis provided by Orca Security, hackers only need three steps to gain access to sensitive data. In fact, 78% of cloud hacks involve exploiting a known vulnerability.
The data research involved major cloud service providers like AWS, Microsoft Azure, and Google Cloud. Data collected included cloud workloads, configuration data, and assets collected the first half of 2022.
Cloud security involves a concept known as the “Shared Responsibility Model.” This concept states that as customers choose to utilize different aspects of cloud, there may be more of a responsibility on the cloud provider versus the customer in the case of Software as a Service (SaaS), or inversely for something such as Infrastructure as a Service (IaaS).
As reported by Dark Reading, containers and virtual machines remain the most neglected components to cloud infrastructure at 89%. As a result, this becomes a prime target for hackers as these virtual machines can remain unpatched, running without oversight, or could be leveraged for lateral movement.
Orca Security’s report found that the average container, virtual machine or image contains 50 known vulnerabilities.
Customers need to step up their security hygiene, especially in light of the Uber hack. Orca found that 33% of firms surveyed lacked any form of multifactor authentication (MFA). This results in stolen credentials having no further mechanism to prevent misuse or abuse.
Alarmingly, Orca also found that 58% of surveyed firms had at least one privileged user account that had disabled MFA for it.
Consistent security policies and enterprise-wide visibility and auditing are the main mechanisms companies need to employ for strong cybersecurity hygiene. Until that occurs, every company that neglects security controls remains an exploitable target.
