A recent RedLock study of public cloud computing environments between June and September of 2017 found that 53 percent of organizations using cloud storage services like Amazon S3 have inadvertently exposed one or more such services to the public, up from 40 percent in a previous report six months ago.
The study also found that 81 percent of organizations are not managing host vulnerabilities in the cloud. "While most have existing investments in third party vulnerability scanning tools such as Qualys and Tenable, organizations are unable to map the data from these tools to gain cloud-specific context," the report states.
At 38 percent of organizations, the study found, admin accounts for public cloud computing environments have potentially been compromised. Thirty-seven percent of databases are accepting inbound conection requests from the Internet, and 7 percent of those are receiving requests from suspicious IP addresses.
In one case, RedLock researchers found that hackers had taken advantage of an open Kubernetes admin console belonging to the British insurance company Aviva to mine bitcoins.
"Many criminals are taking advantage of poor cloud security practices and configuration mistakes to take over cloud instances belonging to large organizations where the increase in spend due to Bitcoin mining will likely go unnoticed," the researchers noted.
RedLock CTO Gaurav Kumar said in a statement that organizations are falling behind in protecting their public cloud computing environments. "As we've witnessed by recent incidents at organizations such as Viacom, OneLogin, Deep Root Analytics and Time Warner Cable, the threats are real and cybercriminals are actively targeting information left unsecured in the public cloud," he said.
"It's imperative for every organization to develop an effective and holistic strategy now to protect their public cloud computing environment," Kumar added.
In the meantime, the breaches continue. On September 26, Kromtech security researchers came across a publicly accessible Elasticsearch database belonging to the National Football League Players Association (NFLPA).
The database held 1,133 NFL players' and agents' personal information, including email addresses, birthdates, mobile phone numbers and home addresses. One of the players whose data was exposed was former 49ers quarterback Colin Kaepernick.
An attacker had left a ransom note in the database on February 3 demanding 0.1 bitcoin not to leak the data to the public. The ransom did not appear to have been paid.
"It is logical to believe that criminals had access to this information and could have even targeted players or agents by using the credentials the database contined," Kromtech chief security communications officer Bob Diachenko wrote.
Not Ready for GDPR
Over 80 percent of cloud services don't support encryption of data at rest, and more than 67 percent don't specify in their terms of service that the customer owns the data.
"Cloud adoption is an inevitability and has enormous business value for enterprises across all geographies and verticals," Netskope CEO and founder Sanjay Beri said in a statement. "It also introduces a new set of complex security challenges in the enterprise, with regulations like the GDPR one of the more complex challenges."
"On the eve of the compliance deadline, complete visibility into and real-time control over cloud usage and activity in a centralized, consistent way that works across all cloud services is paramount for organizations to understand how they use and protect their customers' personal data and, consequently, comply with the GDPR," Beri added.