43% of cloud databases are not encrypted: Unit 42 cloud threat report
Nearly 50% of every scanned CloudFormation template (CFT) contains a potentially vulnerable configuration
Unit 42 (the Palo Alto Networks threat intelligence team) has released the Spring 2020 edition of Cloud Threat Report, which aims to uncover where cloud vulnerabilities are surfacing in the threat landscape among the widespread shift to cloud infrastructure.
Key findings include:
- Poor cloud security practices are rampant: 43% of cloud databases are not encrypted and 60% of cloud storage systems have logging disabled. Unencrypted cloud databases can lead to data breaches, with MoviePass a recent example. With cloud logging disabled, attackers could enter a cloud storage system and organizations would never know.
- Organizations are not embracing DevSecOps: Nearly 200,000 Infrastructure as Code (IaC) templates have high and medium severity vulnerabilities. IaC templates are the basic foundation of a cloud environment. They allow organizations to build and run scalable applications dynamically. Most IaC templates are created through a simple three-step process: design, code, and deploy. What’s getting many DevOps teams in trouble is the missing fourth step -- scanning for security issues. When IaC templates are not scanned for security issues, they can unnecessarily expose an organization’s cloud environment to attackers. This can lead to misconfigurations, which is the leading cause for cloud data breaches.
- Cyber crime groups are using the cloud for cryptojacking: Adversary groups including Rocke, 8220 Mining Group and Pacha are stealing cloud resources from organizations to mine for Monero, likely through public mining pools or their own mining pools. These cryptojacking attacks help these groups fund their cyber crime operations.
Security Best Practices
- Get and Maintain Multi-Cloud Visibility: It is very difficult to secure what is not visible or known. Security teams need to take the lead in advocating for cloud native security platforms (CNSPs), which provide visibility across public, private, and hybrid clouds in addition to containers, serverless deployments, and CI/CD pipelines.
- Enforce Standards: Cloud-scale security requires strict enforcement of standards across public, private, and hybrid cloud environments. If your organization does not yet have a cloud security standard, check out the benchmarks (cisecurity.org/cis-benchmarks) created by the Center for Internet Security (CIS). Paper standards are a great start, but they also need to be consistently enforced without the need to create and maintain the tools that do it.
- Shift Left: Shift-left security is about moving security to the earliest possible point in the development process. Work with DevOps teams to get your security standards embedded in IaC templates. This is a win-win for DevOps and security teams.