Research has shown that controls within Google Cloud Platform (GCP) are the most commonly misconfigured of the big three cloud service provider (CSP) environments, making them more vulnerable to cyber attackers.
Researchers at Qualys looked at cloud misconfiguration issues and found GCP leading the way with an average failure rate of 60% when run against the Center for Internet Security’s (CIS) benchmarks. Azure was close behind, with an average failure rate of 57%, and AWS stood at 34%.
GCP services of particular concern, according to the CIS benchmarks, were BigQuery, DataProc, and Logging.
The CIS Benchmarks comprise more than 100 secure configuration guidelines for more than 25 product families. The intent is to provide recommendations for hardening technology against cyber attacks.
While the platforms themselves are not inherently insecure, the figures highlight the issue of misconfiguration, which amplifies the risk of breaches and unauthorized access.
Misconfigurations can be caused by anything from a simple lack of expertise and human error to rapid deployment, where security considerations drop down the list of priorities compared to a business need.
Encryption, identity management, and external-facing assets were noted as some of the most impactful misconfigurations that are commonly made, potentially leading to exploits and cyber attack.
Encryption is hugely important for protecting an organization’s data. However, despite most Cloud Service Providers (CSP) making its implementation as simple as selecting a configuration option, the report found that it was not universally deployed.
Nearly all (99%) of the Azure disks scanned lacked encryption or a customer managed key (CMK). On GCP, researchers found 97.5% of virtual machine disks for critical VMs lacked encryption using customer-supplied encryption keys (CSEKs).
As with encryption, identity and access management (IAM) was poorly implemented by customers of all three CSPs.
Among the most significant IAM misconfigurations were console passwords not having multi-factor authentication (MFA) enabled. Nearly half (44%) of IAM cases on AWS had the industry-standard security control deployed.
Additionally, scans for Enabling Authentication and configuring Client Certificates within Azure App Service failed 97% of the time.
Observability in pre-production testing
Application monitoring is in place to prevent software issues affecting users and customers. Discover the benefits of applying Enterprise Observability in pre-production testing.
Finally, external-facing assets can present attackers with multiple opportunities. The report noted that 31% of S3 buckets are publicly accessible, exposing them to an array of possible vulnerabilities.
The report noted: “A common misconfiguration by users of all major cloud providers is inadvertently leaving data publicly accessible”. Doing so can impact the effectiveness of other cloud services. Public S3 buckets, for example, can hold more than just sensitive data; access keys, credentials, or backup files can also be found in them, meaning the potential compromise of other services, such as EC2 instances.
“The convenience of - say, working on cloud assets from anywhere without having to use a VPN - suddenly transforms into a potential breach just waiting to happen.”
Log4Shell lingers
The report noted the risk of weaponized vulnerabilities, particularly the ongoing danger of Log4Shell.
Log4Shell was first detected in December 2021 and exploits functionality in Log4j, an open-source logging framework used in many Java applications, to execute arbitrary code.
Despite being a well-known vulnerability, figures have shown that the Log4j flaw is proving difficult to mitigate. In this instance, the challenge is partly due to the scale and complexity of cloud environments. Many make extensive use of open-source software, such as Log4j, and are publicly exposed.
The Qualys team noted that it had detected 1 million Log4Shell vulnerabilities. Only 30% had been successfully fixed, leaving 70% unpatched. The average remediation time stood at 136 days, which researchers attributed to the complexity involved.
Lambda: another exploitation threat
While the CIS hardening benchmark lacks controls specifically for AWS Lambda, researchers found issues when looking at permissions provided to Lambda functions.
In terms of hardening, some checks on Lambda functions - including for monitoring and execution limits - recorded a more than 90% fail rate. Others, such as a check that Lambda environment variables at rest were encrypted with CMK, had a fail rate of 58%.
A failure around the hardening stance has the potential to give access to attackers.
Lambda has been specifically targeted by the Denonia malware strain, a crypto-miner that will burn through expensive compute cycles once it has achieved a foothold. Since Lambda - and other serverless technologies - are relatively new, security measures have tended to be overlooked.
