The cloud has become an epicenter of cyberattacks and breaches. To prevent these breaches from succeeding, security teams must address the root causes behind these incidents and not confuse them with symptoms. For example, it’s common for industry analysts to label ransomware or data exfiltration a top cloud threat. Unfortunately, data exfiltration isn’t a threat, but an outcome of a threat. Similarly, ransomware isn’t the real threat, but a symptom. If we want to stop ransomware, we’ve got to stop ransomware from infiltrating our networks.
So what are the real root causes of cloud security breaches? Here are the top five:
Phishing and social engineering
Social engineering has emerged as the biggest threat facing organizations today. Estimates have found that hackers use social engineering in almost 90% of all attacks. Attackers use all sorts of different methods such as phishing, vishing, and smishing to contact a potential victim. The unsuspecting victim ends up sharing credentials or betraying sensitive data without realizing that there’s a fraudulent email or embedded URL or that the person contacting them is an imposter. Google Cloud has forecast that attackers will operationalize generative AI to further improve, professionalize, and scale their phishing attacks against cloud infrastructures.
Social engineering and login authentication issues are often commingled. Attackers use techniques such as “adversary-in-the-middle” (AitM) to steal someone’s credentials or bypass MFA defenses. AitM attacks usually start with social engineering — a victim receives a malicious email asking to authenticate with a login name or password. The embedded URL then takes the victim to a man-in-the-middle (a transparent proxy website), basically the attacker’s computer. Anything that the victim types in — login name, password, MFA credentials — gets captured by the attacker without the victim realizing that they are on a bogus website.
Overly permissive permissions and misconfigurations
It’s very common for a user to store something on Google Drive or Dropbox, grant excessive account permissions, or configure improper public access, and sensitive data gets exposed. Sometimes organizations over-assign privileges to avoid productivity issues however, studies reveal that 90% of granted permissions are never used. Sometimes assets such as storage buckets get accidentally exposed to the general public. Attackers leverage these excessive permissions and overexposed assets to conduct reconnaissance, make lateral movements, and escalate privileges which can lead to data exfiltration, data tampering, and destruction. Misconfigurations also pose a major threat. IT teams not familiar with security settings, leaving ports open, using default settings, failing to monitor, review and update security settings — the list goes on. Gartner predicts that by 2025, 99% of cloud security failures derive from some human error or misconfiguration.
Unpatched software and firmware
The sudden explosion of cloud assets has dramatically increased the attack surface. Consequently, organizations witness a steep rise in security vulnerabilities. About 33% of security breaches are said to originate from the exploitation of unpatched assets. For instance, a hacker uses a tool to find unpatched software or firmware (like Network Mapper) or uses Shodan, a search engine that can reveal all the servers connected to the internet that have a specific vulnerability or uses Nikto to check for outdated versions of a web server. Essentially, once adversaries know a network’s weaknesses, they can exploit the entire environment. Studies reveal that 63% of codebases in production and 11% of public cloud hosts have high or critical unpatched vulnerabilities.
Many organizations and services use APIs to connect two pieces of software without requiring a human login. Unfortunately, APIs are not as secure as advertised; their vulnerabilities are not obvious and they’re often left unmonitored. Recent statistics paint a scary picture: 88% of organizations use more than 2,500 cloud applications; however, only 59% claim that they can discover all APIs that are in use. In the past two years, 74% of organizations have experienced at least three API-related breaches.
How organizations can mitigate cloud security threats
Listed below are some recommendations that can help reduce the risk of security incidents emerging from the root causes highlighted above:
- Train users to recognize social engineering and authentication issues: No matter how good an organization’s technical defenses are, attackers will always find a way to trick end users. That’s why end users need to recognize threats and report them quickly. By running regular phishing simulation exercises, organizations can build instincts and reflexes that help identify and report security threats.
- Encourage employees to stay cautious with permissions: Educate cloud admins especially about not giving excessive permissions to machines and services. Practice least privilege permissions so that everything gets locked down by default. Conduct periodic reviews of what permissions exist — network permissions, cloud permissions, and storage bucket permissions, and lock down the unnecessary ones.
- Equip employees with security tools: Use phishing-resistant MFA to reduce the risk of identity theft. Ask employees to use commercial password managers that autogenerate complex passwords. Make it easy for users to report security threats. For example, a “report phishing” button that enables them to report phishes to the security team.
- Practice rigorous patching: If the company has software or firmware that’s on the CISA Known Exploited Vulnerabilities Catalog, get it patched immediately. Define who has the patching responsibility for every asset and every cloud resource. For something that cannot get patched quickly, use an application-level firewall proxy.
- Secure all APIs: Protect APIs the same as other assets. Inventory them. Monitor for anomalous behavior. Deploy security alerts. Consider using application-level firewall proxy to protect APIs.
Many cloud security issues stem from human error. Technological defenses are necessary, but it’s equally important that organizations focus on employee training and education to make employees accountable. Human error can put the entire organization at serious risk of data breaches, cyberattacks, espionage and ransomware.
Stu Sjouwerman, founder and CEO, KnowBe4