Two recent studies conducted by security providers highlight the growing risks of configuration errors, which have become the single greatest security threat users face in the cloud.

User errors are already the second most common type of breach, according to Verizon Corp.’s 2020 Data Breach Report. Misconfigurations are by far the most common type of error, the report said.

A new study issued today by application development security provider Accurics Inc. finds that misconfigured cloud storage services exist in a stunning 93% of the cloud deployments it analyzed and that most user organizations have at least one network exposure created by misconfigured routing rules that leaves private subnets exposed to the internet. Subnets are typically used by applications and databases to communicate in a secure manner.

The findings dovetail with research released last week by Orca Security Ltd. that found that more than 80% of organizations have at least one public-facing workload running on an unsupported operating system or one that hasn’t been patched for at least 180 days. Nearly half have at least one publicly accessible, unpatched web server, a mistake that was a key factor in the massive 2017 breach of consumer credit reporting agency Equifax Inc.

Orca also reported that almost half of the organizations it audited have internet-facing workloads containing secrets and credentials, which can give cybercriminals access to secure computers from which they can traverse internal networks.

Neither study was scientific, since in both cases the companies were granted access to cloud instances by clients or prospective clients. Still, the overwhelming prevalence of vulnerabilities caused by human error is cause for concern.

Overlooking the basics

A lot of companies are doing a lousy job of applying even basic protections, Orca said. It found that 25% of the ones it studied failed to use multifactor authentication to protect cloud accounts with root or super administrative privileges. MFA requires a user to provide a second proof of identity to gain access to data or services.

“Most companies are trying to maintain good IT hygiene, but they always they have coverage gaps,” said Orca Chief Executive Avi Shua. “There are always pockets that are outside of the radar that are unseen.”

Human error has become the bugaboo of security administrators as organizations have increasingly allowed business users to provision their own cloud services to address their needs more quickly and reduce the burden on information technology organizations. Accurics said 90% of the organizations it studied allow users to make changes to cloud native infrastructure at runtime.

In all cases, that resulted in security groups being created, presumably not always with IT oversight. Access management policy changes were noted in 82% of deployments and nearly half of users had created new cloud instances.

“While there might have been legitimate reasons for the elevated privileges for a particular cloud resource, most organizations failed to assess the downstream impact of the elevated privileges on other resources that were using the policies,” Accurics wrote.

Poor understanding of the basics of configuring access privileges, combined with misplaced beliefs that cloud providers take care of total security of customer accounts, has contributed to an epidemic of configuration errors.

Risk Based Security Inc. documented 149 incidents of misconfigured cloud databases and services that collectively exposed more than 3.2 billion records in just the first half of 2019. Gartner Inc. has predicted that 99% of cloud security failures over the next five years will be caused by user error.

For example, last fall’s breach of 2.8 million customer records at CenturyLink Inc. was reported to be caused by a cloud network misconfiguration that caused a MongoDB database to be exposed on the internet for 10 months. The error was compounded by the existence of a nonadministrative account with overly permissive identity and access management policies that made the database accessible because of a network misconfiguration. On top of that, the database hadn’t been encrypted.

Or course, encryption doesn’t help if the encryption keys are left in the open, which Accurics said was the case in 72% of the deployments it analyzed. It found that unprotected credentials were frequently stored in configuration files within software containers, which house many publicly exposed applications.

Orca similarly found that 44% of the organizations it examined host internet-facing workloads that contain secrets and credentials, including plain-text passwords and application programming interface keys.

Photo: Unsplash