No lessons learned from cloud security breaches

Far too many companies fail to learn anything from security breaches. According to CyberArk, cyber-security inertia is putting organizations at risk. Nearly half — 46% — of enterprises say their security strategy rarely changes substantially, even after a cyberattack.

That data comes from the organization’s new Global Advanced Threat Landscape Report 2018. The researchers surveyed 1,300 IT security decision-makers, DevOps and app developer professionals, and line-of-business owners in seven countries.

The Cloud is Unsecured

Cloud computing is a major focus of this report, and the study results are scary. CyberArk says, “Automated processes inherent in cloud environments are responsible for prolific creation of privileged credentials and secrets. These credentials, if compromised, can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications — whether in the cloud or on-premises.”

The study shows that

  • 50% of IT professionals say their organization stores business-critical information in the cloud, including revenue-generating customer- facing applications
  • 43% say they commit regulated customer data to the cloud
  • 49% of respondents have no privileged account security strategy for the cloud

While we haven’t yet seen major breaches caused by tech failures of cloud vendors, we have seen many, many examples of customer errors with the cloud. Those errors, such as posting customer information to public cloud storage services without encryption or proper password control, have allowed open access to private information.

CyberArk’s view is dead right: “There are still gaps in the understanding of who is responsible for security in the cloud, even though the public cloud vendors are very clear that the enterprise is responsible for securing cloud workloads. Additionally, few understand the full impact of the unsecured secrets that proliferate in dynamic cloud environments and automated processes.”

In other words, nobody is stepping up to the plate. (Perhaps cloud vendors should scan their customers’ files and warn them if they are uploading unsecured files. Nah. That’ll never happen – because if there’s a failure of that monitoring system, the cloud vendor could be held liable for the breach.)

Endpoint Security Is Neglected

I was astonished that the CyberArk study shows only 52% of respondents keep their operating system and patches current. Yikes. It’s conventional wisdom that maintaining patches is about the lowest-hanging of the low-hanging fruit. Unpatched servers have been easy pickings for hackers over the past few years.

CyberArk’s analysis appears accurate here: ”End users deploy a lot of technologies to protect endpoints, and they face many competing factors. These include compliance drivers, end-user usability, endpoint configuration management and an increasingly highly mobile and remote user base, all of which make visibility and control harder. With advanced malware attacks over the past year including WannaCry and NotPetya, there is certainly room for greater prioritization around blocking credential theft as a critical step to preventing attackers from gaining access to the network and initiating lateral movement.”

Many Threats, Poor Planning

According to the study, the greatest cyber security threats expected by IT professionals are:

  • Targeted phishing attacks (56%)
  • Insider threats (51%)
  • Ransomware or malware (48%)
  • Unsecured privileged accounts (42%)
  • Unsecured data stored in the cloud (41%)

Meanwhile, 37% respondents say they store user passwords in Excel spreadsheets or in Word docs (hopefully not on the cloud).

Back to the cloud for a moment. The study says that “Almost all (94%) security respondents say their organizations store and serve data using public cloud services. And they are increasingly likely to entrust cloud providers with much more sensitive data than in the past. For instance, half (50%) of IT professionals say their organization stores business-critical information in the cloud, including revenue-generating customer-facing applications, and 43% say they commit regulated customer data to the cloud.”

And all that, with far too many companies reporting poor security practices when it comes to the cloud. Expect more breaches. Lots more.