Orca Security Report Finds Cloud Security Gaps Expose Business Critical Assets in Just Three Hops
September 13, 2022Orca Security released the 2022 State of the Public Cloud Security Report, which provides important insights into the current state of public cloud security and where the most critical security gaps are found. One of the report’s key findings is that the average attack path is only 3 steps away from a crown jewel asset*, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
The report, compiled by the Orca Research Pod, includes key findings from analyzing cloud workload and configuration data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform from January 1st until July 1st, 2022. The report identifies where critical security gaps are still being found and provides recommendations on what steps organizations can take to reduce their attack surface and improve cloud security postures.
“The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organization’s workloads, configurations and identities in the cloud,” said Avi Shua, CEO and co-founder, of Orca Security. “Our latest State of the Public Cloud Security report reveals that there is still much work to be done in this area, from unpatched vulnerabilities and overly permissive identities to storage assets being left wide open. It is important to remember, however, that organizations can never fix all risks in their environment. They simply don’t have the manpower to do this. Instead, organizations should work strategically and ensure that the risks that endanger the organization’s most critical assets are always addressed first.”
Report Key Findings
The Orca Security 2022 State of the Public Cloud Security Report finds that:
- Crown jewels are dangerously within reach: The average attack path only needs 3 steps to reach a crown jewel asset, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
- Vulnerabilities are the top initial attack vector: 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, highlighting that organizations need to prioritize vulnerability patching even more.
- Basic security practices are not being followed: Many basic security measures such as Multi-Factor Authentication (MFA), least-privilege permissions, encryption, strong passwords, and port security are still not being applied consistently. For example, 42% granted administrative permissions to more than 50% of the organization’s users, 71% use the default service account in Google Cloud, and 7% have Internet-facing neglected assets (i.e. unsupported operating system or unpatched for 180+ days) with open ports 80, 443, 8080, 22, 3389 or 5900.
- Cloud-native services are being overlooked: Even though cloud-native services are easily spun up, they still require maintenance and proper configuration: 69% have at least one serverless function exposing secrets in the environment variable, 70% have a Kubernetes API server that is publicly accessible, and 16% of containers are in a neglected state (i.e. unsupported operating system or unpatched for 180+ days).