Common Cloud Misconfigurations Leading to Cyberattacks
The following guest post is by Zachary Amos. [Features Editor at ReHack, 3+ years of experience covering Cybersecurity & IoT ]
Cloud-based technology is on track to become a $110.5 billion U.S. industry. It provides smaller businesses with an outsized ability to compete and companies of any size with data mobility and more sophisticated enterprise planning tools.
Some cloud products can even improve cybersecurity — up to a point.
The other side of the coin is that relying on the cloud also exposes organizations to new risks. One of these is cloud misconfiguration.
What Are Cloud Misconfigurations?
This is far from a theoretical possibility. In recent years, an estimated 70% of compromised digital records were due to misconfigured cloud portals and digital services. That’s the equivalent of 5.4 billion records.
Capital One was involved in a high-profile example of cloud misconfigurations resulting in real-world losses. A hacker leveraged a misconfiguration in the company’s cloud-based firewall and captured data from 100 million credit applicants and active cardholders.
It’s vital to recognize cloud misconfigurations before bad actors can exploit them. Even 10 years ago, we didn’t quite anticipate the speed with which cloud-based meeting, tracking, compliance, maintenance and communication technologies would expand. Today, it feels like most companies would halt in an instant without the cloud to grant their data and processes mobility, agility, accessibility and transparency.
However, this same transparency is also a tool for bad actors if it’s not understood and accounted for properly.
What Are Some Examples of Cloud Misconfigurations?
It’s possible to avoid misconfiguring cybersecurity, storage, enterprise planning, machine tending, fleet tracking or any other type of software that lives in the cloud. One must know what to look for, however. Here are five types of cloud misconfigurations to guard against.
1. Leaving Outbound Traffic Unrestricted
It’s common for users of Amazon Web Services (AWS) and similar products to configure inbound ports with security in mind. What’s less common is policing outbound access with equal vigilance. Performing this step ensures traffic on the network communicates with only the entities — like servers and applications — it requires to function.
The process of configuring restrictions on outbound access should embrace the concept of minimal authority. Without proper configurations for outbound access, hackers may be able to:
- Exfiltrate data to unauthorized recipients
- Engage in lateral-movement cyberattacks
- Carry out command-and-control actions
- Spread malware throughout a system
2. Disabling Monitoring or Logging
Most cloud platform products provide some form of monitoring or logging feature. However, this doesn’t mean the organization using the product has logging enabled. This is a common mistake that may leave the door open to cyberattacks.
A proper logging process involves recordkeeping and regular review of telemetry data by security personnel. Without this review function, organizations don’t have the means to identify and study security events when they happen or respond to maintenance bulletins as they’re flagged.
3. Opening ICMP Access
Internet Control Message Protocol (ICMP) is a diagnostic tool familiar to most IT professionals. It’s useful for studying compromised transmissions and verifying servers are online, functioning and responding as intended. Despite its usefulness, ICMP can also open an organization up to attack if the IT team fails to lock down access.
Hackers can use unrestricted ICMP to find servers. From there, they can mount several kinds of organized attacks on the network, including using ping floods to perform distributed denial of service (DDoS) attacks. This is a slightly older avenue of attack, but it still works because even seasoned professionals sometimes fail to guard against it.
4. Misunderstanding Storage Access
It’s common for cloud-computing customers to misunderstand what constitutes an “authenticated user” — especially those who rely on AWS products. This misunderstanding may result in far-too-lenient system and security design.
The label “authenticated user” applies to any entity with an AWS authentication in the platform ecosystem. In 2021, AWS controlled around 33% of the web-hosting market. This means there may be far more authenticated entities online than an IT architect may have accounted for — and they may have easier access than they think, depending on current configurations.
Companies should reserve storage bucket access to only known parties. Internally, they should restrict access to people and teams who require access to digital properties to perform their daily functions.
5. Failing to Manage Credentials and Other Secrets
Some of the most consequential cyberattacks in recent memory — including the Colonial Pipeline attack — were the consequence of poorly managed passwords. The protection and monitoring of access credentials, along with other secrets like API and encryption keys, is vital in this climate of almost continuous hacks.
Examples of poorly managed secrets and credentials include storing them in GitHub repositories, keeping them in badly configured cloud systems or even placing them in publicly accessible HTML code. The nearest residential security analog would be leaving one’s house key in plain view of the front door.
AWS has a built-in Secrets Manager feature, and Azure and Hashicorp have competing options. There’s no excuse for giving bad actors easy access to critical systems through leaky or nonexistent password hygiene or key management. Have a plan to secure these secrets and regularly audit that system. Failure to do so could land credentials in the hands of hackers, who could leverage them for whatever ends they see fit.
Cloud Misconfiguration Can Be Prevented
Carrying out computing in the cloud has delivered new functionality and levels of productivity and efficiency to organizations of all stripes. Omnipresent computing and data access can be a double-edged sword without a working knowledge of the potential pitfalls, though. Companies should use this guide as a springboard to navigating preventable misconfigurations in cloud products.