According to a recent report by Palo Alto Networks’ Unit 42, cloud security has become an increasingly treacherous attack surface for organizations. The “2023 Unit 42 Attack Surface Threat Report” analyzed public internet data collected earlier this year and found that the rapid move to the cloud has imposed severe security risks.
The report focused on 250 organizations with 10,000 employees or more across various sectors and highlighted the struggles these organizations face with cloud management and misconfigurations. The data collected showed that the cloud is the “dominant attack surface,” with a vast 80% of medium, high, or critical exposures observed on assets hosted in the cloud. In comparison, only 19% of security exposures affected on-premise assets.
The large discrepancy in security exposures can be attributed to frequent cloud misconfigurations, confusion about shared responsibilities, shadow IT, a lack of visibility of assets, and the inherent connection of cloud services to the internet. The report noted that security exposures related to the use of end-of-life (EOL) software and development infrastructure were predominantly found in cloud environments.
While on-premises exposures consisted of unencrypted logins, file sharing software use, and internet-exposed databases, the report warned organizations to be aware of all exposures when migrating sensitive data to the cloud. Attackers have increasingly targeted file sharing products, leading to data breaches.
The report also highlighted the increasing cloud knowledge of attackers. A presentation during the Black Hat 2023 conference demonstrated how attackers can find exposed assets within minutes. Palo Alto Networks researchers found that attackers can scan the entire IPv4 address space for vulnerable targets within minutes. Exposures on publicly facing assets put organizations at risk of being compromised, and sometimes organizations become victims of opportunity rather than targeted attacks.
One of the biggest concerns raised by the report is the continued use of end-of-life software. Despite the industry’s push to retire legacy systems and cyber insurers requiring it as part of their policies, nearly 95% of EOL software systems exposed on the public internet were found in cloud environments. This suggests that organizations might be slower to retire outdated systems that are publicly accessible in the cloud compared to on-premises ones.
The report attributes the slower retirement of EOL software to the ease with which developers can create and deploy large volumes of new services with substantially outdated software in the cloud. It also noted that assets can fall to the wayside and remain unaccounted for during mergers and acquisitions, adding to cloud security concerns.
Cloud asset visibility was another top concern highlighted in the report. Organizations struggle with inventory awareness due to the near-constant shift of cloud services on a monthly basis, referred to as “cloud dynamism.” On average, over 20% of externally accessible cloud services change every month across the analyzed organizations. This constant change makes it easy for accidental misconfigurations and the spread of shadow IT to go unnoticed.
The lack of inventory awareness is identified as the root cause of cloud-based attacks. Organizations find it difficult to understand the number of servers and routers they have, leading to a lack of confidence in the numbers they provide. According to Matt Kraning, CTO of Palo Alto Networks Cortex, the real issue lies in decentralized IT. He believes that IT systems, especially those connected to the internet, are now the weakest link in organizations, rather than people.
Cloud visibility is a persistent problem because exposures can exist in cloud environments without organizations actively monitoring them. Mergers and acquisitions also contribute to cloud security concerns, as assets may be overlooked or unaccounted for during the transition process.
The report also highlighted common problems faced by Palo Alto Networks customers, including remote desktop protocol (RDP) and patch management. Over 85% of organizations analyzed left RDP internet accessible for at least 25% of the month, which increases the risk of ransomware attacks or unauthorized login attempts. RDP exposures were prevalent in industries such as national government, professional services, and legal services.
Regarding patch management, organizations struggle with identifying where they should patch during emergency situations, such as attacks against Microsoft Exchange servers or specific software products. This often leads to valuable time being spent searching environments rather than mitigating the attack. Microsoft Excel and Outlook are commonly used tools during cybersecurity emergencies, but organizations lack an efficient and centralized system to respond to new attacks.
Unit 42’s recommendations include using automated defenses to keep up with attackers, continuous visibility monitoring, securing remote access, and addressing cloud misconfigurations. These proactive measures can help organizations mitigate the security risks associated with the cloud and ensure the protection of sensitive data and systems.