These 5 Things Will Take Your Business Down
Updated: Sep 3, 2020
Clickbait? No, or maybe a bit.
When reviewing security breaches over the last years a very common pattern emerges. Misconfiguration of cloud environments in some way, shape or form is always part of the story.
Let's look at some of the most common misconfigurations that we come across when reviewing cloud environments.
Open Firewall Ports
In the cloud it is very easy to deploy servers, so easy, children do it. Cloud vendors show documentation that explains how to deploy servers in three simple steps and then connect to said new server from your local machine. Great outcome. Not really, because many tutorials target "ease of deployment" and not so much "strength of security posture".
In order to simplify the initial learning experience in many cases security aspects are skipped and Firewall ports are opened up on servers that don't need those ports opened.
Also, for many system administrators / developers this is something they did not necessarily have to think about in the past with servers they deployed in datacentres. Most of those servers were essentially air-gapped to the internet.
This means that in many cases, for a hacker, the new cloud server is now also addressable from the internet, from anywhere in the world.
These cloud servers are an open invitation for hackers to come knocking and see if any doors (ports) are open.
System Administrators / developers can also easily circumvent organisational policies enforcing VPN or other network setups, which further exposes cloud servers to malicious actors.
When (note: not if!) these find one of those servers, then the only thing standing in their way is authentication to that server. Which brings us to the next point.
It's no secret that hackers nowadays have little issues cracking a password, given the chance. Especially when it was a human that set the password.
Often passwords are reused across multiple systems, rarely changed and sometimes left at default values that can be easily looked up on vendor documentation.
A better approach would be to use very complex, automatically created, as in, not by a human, or no passwords at all.
Cloud vendors are getting better at this, but many cloud services still do not enforce encryption in transit, which means that communication going from one cloud instance to an
other happens in clear text. Sometimes this is the default even, and it is difficult to track this.
As above, this might not be such a major issue in your own datacentre, but when essentially sharing infrastructure with other organisations and exposing resources to the internet, this is definitely a big deal.
Unpatched Cloud Resources
This topic comes in two flavours and both are critical when it comes to security.
Systems and applications require patching to fix known issues and vulnerabilities
Operating Systems (i.e. Windows, Linux)
Applications (vendors might release security updates for their products)
New standards or features for cloud services are released that are more secure
The first point is one that many organisations have been familiar with for a long time and there are many mature processes known to keep systems and applications patched. There really should not be many reasons left why a system is unpatched.
The second point is more complicated. The change of pace in the cloud is rapid and much faster than what organisations are used to from the non-cloud world where major releases by vendors were maybe a thing that happened once a year or even less frequently. In the cloud changes happen almost on a daily basis and it is difficult to keep up with these, some of which might be new features allowing for a more secure use of a service, but they need to be knowingly enabled by a system administrator.
If you don't know about them, you don't know and an organisation might unknowingly run a less secure version of a cloud service.
Data encryption is clearly something end users are absolutely interested in. We all care about organisations not storing our data unencrypted.
Yet, many cloud environments have unencrypted server disks, databases, in general unencrypted data at rest and have internal services communicate via unencrypted communication protocols, miscategorising the services as "internal", even though that category does not really exist when working on cloud platforms.
Cloud services are not internal, a lot of the "Platform as a Service" offerings out of the box enable an internet addressable endpoint, whether you use it or not.
All of these top 5 issues are avoidable, but often fall into the "we don't know what we don't know" category. Cloud platforms change constantly with new offerings, new service configurations possible, but also new attack vectors.
A process that alerts in real time that any of the above top 5 security issues are violated would already protect many companies from attacks and makes it more difficult for hackers to get into your environments and also accidental leaks to happen.