A new Qualys report shows organizations are largely leaving most security settings as-is in cloud infrastructures. That means roughly half of all security settings are in a state that could provide an opening for threat actors to gain access to critical cloud computing resources.
That's according to Travis Smith, vice president of Qualys' threat research unit. This week, Qualys released its 2023 Cloud Security Insights report. It describes data-backed insights from the Qualys TruRisk Platform about risks and best practices associated with cloud computing.
Some of the key findings from the latest Qualys report include:
- Cloud misconfiguration is the most critical issue for securing cloud environments as it amplifies the risk of data breaches and unauthorized access. On average, 50% of Center for Internet Security (CIS) benchmarks are failing across the major providers. The average fail rate for each provider was 34% for AWS, 57% for Azure and 60% for Google Cloud Platform (GCP).
- One of the most alarming discoveries within the data was how many cloud assets are externally facing and exposed to the internet. About 4% of cloud assets within the more than 50 million scanned are internet facing, meaning they have public IP addresses and are visible to any attacker.
- During the research period, more than 60 million applications were at end of support and life. Critical categories include database and web servers, and security software, none of which will receive security updates, increasing exposure and risk of a breach.
Most Surprising Finding in Qualys Report
"The most surprising finding was seeing Log4Shell still largely unpatched in cloud environments," Smith said. "This vulnerability has had widespread attention in the industry and we are coming up on the two-year anniversary of its published date. This critical vulnerability can be easily exploited and should be taken up on priority to remediate if it is found in any production environment."
The first step for any organization deploying assets of AWS, Azure or GCP is to leverage CIS hardening benchmarks, which represent the "gold standard" for properly securing cloud infrastructure, he said.
"Knowing what security controls are misconfigured is the first step to understanding what the organizational risk is, so it is important to first get a baseline and improve the security architecture from there," Smith said.
The findings are not all doom and gloom, he said. There are a few encouraging signs that can be seen throughout.
"For example, AWS configuration settings are passing at a much higher rate than Azure or GCP," Smith said. "With AWS having the highest market share in cloud computing, it is encouraging to see that it is the most secure of the three we analyzed. However, that being said, [public cloud storage containers] are still exposed to the internet at an alarming rate. The encouraging side of that is we can see the equivalent settings in Azure and GCP not being exposed to the internet at such high rates."
Anecdotally, the highest threat to cloud environments from a malware perspective is cryptomining attacks, he said.
"It is encouraging that more nefarious attacks such as ransomware have not materialized on a large scale," Smith said. "Yet this should be a warning to organizations that if cryptomining can get in, the threat exists for other more dangerous attacks like ransomware to find their way into cloud environments."