Cloud computing has been one of the most ubiquitous trends in modern IT, bringing with it a host of new opportunities and challenges. And cloud security has been fertile ground for security researchers, and a number of research reports released last month continued that trend. While the cloud represents an opportunity to improve business processes and agility, security researchers see risks that organizations aren’t even fully aware of.
In this monthly roundup, eSecurity Planet summarizes findings from seven different research reports — and the key lessons that enterprises can learn from them to protect themselves against current and emerging security threats.
- CyberArk Global Advanced Threat Landscape Report: Focus on Cloud
- FireEye Q1 19 Email Threat Report
- ForgeRock U.S. Consumer Data Breach Report
- ISACA State of Cybersecurity Study
- McAfee Cloud and Risk Adoption Report
- Symantec Cloud Security Threat Report
- WatchGuard Technologies Internet Security Report
The cloud can expose organizations to unexpected risks, according to a CyberArk report, Global Advanced Threat Landscape Report 2019: Focus on Cloud.
The report found that 75 percent of organizations depend on the built-in security from a cloud provider, yet 50 percent also admitted that the built-in security isn’t enough. Looking at the risk profile, the study found that 62 percent of organizations were unaware that credentials, secrets and privileged accounts exist in Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud environments.
In terms of controls, only 49 percent of organizations said that they have a privileged access security strategy in place for cloud infrastructure and workloads.
“The risks caused by a lack of clarity about who is responsible for security in the cloud is compounded by an overall failure by organizations to secure privileged access in these environments,” said Adam Bosnian, executive vice president, global business development, CyberArk.
Key Takeaway: Privileged information and secrets exist in the cloud, so it’s incumbent upon organization to have privileged access management (PAM) controls.
It should come as no surprise that email continues to be a leading threat vector. The FireEye Q1 2019 Email Threat Report analyzed 1.3 billion emails in the first quarter and found growing email security risks.
FireEye reported that in the first quarter, phishing attacks rose by 17 percent over the fourth quarter of 2018. The most spoofed brand found in phishing attacks was Microsoft, which accounted for almost 30 percent of all detections. There was also a 26 percent quarterly uptick in the use of malicious addresses that used HTTPS. Additionally, Business Email Compromise (BEC) continues to be an issue, with FireEye identifying new impersonation attacks taking aim at payroll and supply chain targets.
“We’re seeing new variants of impersonation attacks that target new contacts and departments within organizations,” said Ken Bagnall, Vice President of Email Security at FireEye. “The danger is these new targets may not be prepared or have the necessary knowledge to identify an attack.”
Key Takeaway: Train and educate all staff about the dangers of BEC and email security.
ForgeRock’s U.S. Consumer Data Breach Report warned of the growing number of attacks against financial services organizations.
According to the report, breaches at financial service organizations cost the industry a staggering $6.2 billion in the first quarter of 2019. The high cost was driven by the compromise of 26.9 million consumer data records in the quarter.
The leading cause of breaches in the first quarter was identified by ForgeRock as being misconfigurations.
“It’s clear from our research findings that consumer data is valuable and highly sought after by cybercriminals as well as very difficult for organizations to protect,” said Eve Maler, VP of Innovation and Emerging Technology at ForgeRock. “Organizations can protect consumer data by implementing a strong customer identity management program.”
Key Takeaway: Breaches aren’t always the result of software vulnerabilities, so take the time and care to get configurations right to limit risk.
ISACA, an organization once known as the Information Systems Audit and Control Association, released its 2019 State of Cybersecurity study on June 3, revealing a number of surprising trends.
According to the study, just over a third (34 percent) of cybersecurity leaders have high levels of confidence in their group’s ability to detect and respond to cyberthreats. Of particular note is how the level of confidence varies based on reporting lines, with higher levels of confidence for cybersecurity teams that report directly to a CISO as opposed to a CIO. Of particular note, the study found that most organizations hold the view that breaches and security incidents are underreported by the victim organizations.
“Underreporting cybercrime—even when disclosure is legally mandated—appears to be the norm,” said Greg Touhill, Brigadier General (ret.), ISACA Board Director, president of Cyxtera Federal and the first U.S. Federal CISO. “Half of all survey respondents believe most enterprises underreport cybercrime, even when required.”
Key Takeaways: Have a clear reporting line to the CISO for security personnel to help improve cybersecurity outcomes.
The McAfee Cloud and Risk Adoption Report had its own conclusions about cloud security.
Rather than pointing out the unknown risks that some organizations face in the cloud, McAfee found the cloud’s silver lining. According to the report, 87 percent of organizations experience business acceleration by using cloud services. 52 percent of companies also reported having a better security experience in the cloud than in their on-premises environments.
While so-called “Shadow IT,” or unknown use of the cloud, is a concern, the study found that it represents only 10 percent of enterprise data.
“This research shines a light on organizations who are leading the charge in cloud adoption, prioritizing the security of their data as they roll out new cloud services and winning in the market because of the actions they are taking,” said Rajiv Gupta, senior vice president for Cloud Security at McAfee.
Key Takeaway: The cloud shouldn’t be feared, it should be embraced with strong security controls and policy that enables organizations to fully benefit.
Adding to the list of vendors looking at cloud security was Symantec, which released its Cloud Security Threat Report on June 24.
Of note, Symantec reported that 53 percent of all enterprise compute workloads have now been migrated to the cloud. That said, the report warned that 54 percent of organizations admitted that their cloud security maturity is not keeping pace with the rapid expansion of cloud apps. In fact, 73 percent of enterprises reported that they experienced a cloud-related security incident due to immature practices.
So why are cloud security practices immature? The leading cause, according to the report, is a lack of visibility. 93 percent of organizations indicated that they are facing challenges having full visibility into all cloud workloads.
“The adoption of new technology has almost always led to gaps in security, but we’ve found the gap created by cloud computing poses a greater risk than we realize, given the troves of sensitive and business-critical data stored in the cloud,” said Nico Popp, senior vice president, Cloud and Information Protection at Symantec.
Key Takeaway: If you’re using the cloud, make sure to have workload visibility and processes in place to manage security.
WatchGuard Technologies released its Internet Security Report for Q1 2019 on June 25, revealing a 62 percent quarterly increase in overall malware detections.
Among the growing areas of malware risk is macOS malware, with two variants cracking WatchGuard’s top 10 most prevalent malware list for the quarter. Of particular note is the continuing risk of attacks from mimikatz malware, which steals user credentials. According to WatchGuard, mimikatz-based malware accounted for 20.6 percent of all malware found in Q1.
“The key findings from this latest report illustrate the importance of layered security protections in today’s advanced threat landscape,” said Corey Nachreiner, chief technology officer at WatchGuard Technologies. “Whether it be DNS-level filtering to block connections to malicious websites and phishing attempts, intrusion prevention services to ward off web application attacks, or multi-factor authentication to prevent attacks leveraging compromised credentials – it’s clear that modern cyber criminals are leveraging a bevy of diverse attack methods and the best way for organizations to protect themselves is with a unified security platform that offers a comprehensive range of security services.”
Key Takeaway: Use multiple tools, including both endpoint and network layer technologies, to help reduce risk.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.