73% of Organizations Don’t Enforce Multifactor Authentication
Security breaches — of cloud environments, of the software supply chain — are growing ever more common. But most organizations still struggle to master the basics needed to keep their applications, data and infrastructure safe, according to a new report released Tuesday.
The latest Cloud Threat Report by Unit 42, the security research arm of Palo Alto Networks, examined the expanding cloud attack surface, found a number of troubling practices that are making organizations’ workloads vulnerable to malicious actors.
A small number of those practices appear to be most to blame: 80% of alerts in organizations’ cloud environments were triggered by 5% of security rules being broken, the report said.
Among the issues:
- Failure to enforce multifactor authentication (MFA). Nearly three out of four organizations (73%) don’t enforce MFA for console users, and 58% don’t enforce it for root or admin users.
- Exposed hard-coded credentials. Eighty-three percent of organizations have hard-coded credentials in their source control management systems and slightly more, 85%, have hard-coded credentials in virtual machines’ user data.
- Storing sensitive data in publicly exposed storage buckets. Sixty-three percent of such buckets were found by Unit 42 to include sensitive data.
“For cloud users, multifactor authentication should be just something that organizations do as a course of business,” said Bob West, chief security officer for Prisma Cloud at Palo Alto Networks. “And it becomes that much more important as you’re operating in the cloud.”
The latest report by Unit 42 analyzed the workloads in 210,000 cloud accounts across 1,300 separate organizations.
Cloud Provider Defaults
Insecure configurations remain the major source of security issues, the report found. But templates and default configurations provided by cloud service providers — intended to make it easier for developers and engineers to use new technologies — also proved to be major culprits.
“One of the things that organizations don’t necessarily pay attention to is the configuration of workloads and containers,” West said. “To their credit, the cloud service providers have default configurations and default templates that organizations can use. In many cases, [users] don’t change the configurations. And so as a consequence, there’s misconfigurations.”
Some examples of how organizations are failing to make the most of cloud provider security features:
- Seventy-five percent of organizations don’t enforce trail logs for Amazon Web Services (AWS) CloudTrail.
- Seventy-four percent don’t enforce Microsoft Azure key vault audit logging.
- Eighty-one percent of organizations don’t enforce Google Cloud Platform (GCP) Storage bucket logging.
Some root causes of the lack of attention to security basics, West said, lie in organization charts, and a scarcity of engineers and developers with deep cloud security knowledge.
“When you report to the [chief information officer], availability always trumps security,” he said. The message conveyed, implicitly if not explicitly, is “get this stuff out of my way.”
Only 9% of organizations use cloud providers as their primary source of security, according to Palo Alto Networks and Prisma Cloud’s latest annual State of Cloud Security report, down from 27% the previous year. However, West suggested that too many organizations are relying too heavily on their cloud providers for security guardrails, without customized defaults and templates to their organization’s specific needs.
“A lot of organizations have the mentality that if I’m moving to a cloud service provider, like Amazon, or Azure, or Google Cloud, they’re going to protect everything,” he said. ” And clearly, that’s not the case. But that’s a prevalent mentality.”
When there’s a breach, hackers can gobble up sensitive information in minutes. But most organizations can’t move nearly that fast in fixing the vulnerabilities that let them gain access to critical applications, data or infrastructure.
On average, it takes IT security teams 145 hours — just slightly more than six days — to resolve a security alert, according to the report
Unpatched Vulnerabilities
Unpatched vulnerabilities were rife among the workloads studied by the Unit 42 researchers. Sixty-three percent of the codebases used in production carried vulnerabilities rated high or critical according to the Common Vulnerability Scoring System, with a score of 7.0 or higher per CVSS metrics.
Most troubling: More than half of these vulnerabilities are more than two years old.
Though the report does not offer data on the reasons why these vulnerabilities aren’t being remediated, West offered some theories based on his long experience.
“When you get past the top half of the Fortune 500, the level of sophistication of protecting information varies wildly,” he said. “There's a systemic issue of not having enough security people, not being able to teach people that are managing infrastructure good security, hygiene. So if you put all of that together, you don't have enough people and you're not communicating to people what they need to be doing. Those are some of the root causes.“
A broader problem, he said, is that security professionals don’t always know how to ask effectively for more resources to do their jobs.
“There's a large percentage of the CISO community that doesn't know how to communicate well,” West. said “It's not that they're not intelligent, it’s that they don't know how to communicate in business terms. And if you can't communicate clearly to the leadership team or the board of directors, they're not going to understand the issue and you're not going to get the resources and budget to do your job.”
He cited the example of a CISO he worked with who speaks to his organization's board every quarter. West asked the CISO for a sample presentation and was given a 20-slide Powerpoint deck stuffed with technical statistics.
“That's just not relevant to the leadership team or the board,” West said. Business executives and board members, he said, want to know the answers to more basic questions:
Are we safe? Are we doing what's commercially reasonable? What are the big issues that we need to be dealing with?”
Without those communication skills, West said, security professionals won’t get the resources and budget they need to do their jobs properly. Thus, he added, “It's hard to execute on the basics right.”
Learn more about protecting the software supply chain from this episode of The New Stack Makers with guests Aeva Black of Microsoft and Chris Short of AWS, recorded at KubeCon + CloudNativeCon North America in Detroit.
