The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed that least privilege access rights, an underpinning of zero trust architecture, are not properly enforced. Almost 90% of granted permissions are not used, which leaves many opportunities for attackers who steal credentials, the report noted. The data was derived from an analysis of more than seven million containers that Sysdig customers are running daily. 87% of container images have high or critical vulnerabilities. Almost 87% of container images were found to include a high or critical vulnerability, up from the 75% reported last year. Some images were found to have more than one vulnerability. Organizations are aware of the danger, but struggle with the tension of addressing vulnerabilities while maintaining the fast pace of software releases, Sysdig noted. The reason vulnerabilities persist despite having a fix is because of bandwidth and prioritization issues. When 87% of container images running in production have a critical or high severity vulnerability, a DevOps or security engineer can log in and see hundreds, if not thousands of images with vulnerabilities. Only 15% of critical and high vulnerabilities with an available fix are in packages loaded at runtime. By filtering out those vulnerable packages that are actually in use, enterprises can focus their efforts on a smaller fraction of the fixable vulnerabilities that represent true risk. On measuring the percentage of vulnerabilities in packages loaded at runtime by package type to gauge which language, libraries, or file types presented the most vulnerability risk, Sysdig found that Java packages were responsible for 61% of the more than 320,000 vulnerabilities in running packages. Java packages make up 24% of the packages loaded at runtime. More vulnerabilities in packages exposed at runtime results in a higher risk of compromise or attack. Java has the greatest number of vulnerabilities exposed at runtime. While Java is not the most popular package type across all container images, it is the most common in use at runtime. "For this reason, we believe that both the good guys and the bad guys focus on Java packages to get the most bang for their buck. Due to its popularity, bug hunters are likely more dedicated to Java language vulnerabilities," Morin said. While newer or less common package types may seem more secure, Morin said this could be because vulnerabilities haven't been discovered or worse yet, they have been found, but have not been disclosed. Even with the perfect shift-left security practice, threats can arise in production. Organizations should follow a shift-left and shield-right strategy, Sysdig suggested. Shield-right security emphasizes mechanisms to protect and monitor running services. "Traditional security practices with tools like firewalls and intrusion prevention systems aren't enough. They leave gaps because they typically don't provide insight into containerized workloads and the surrounding cloud-native context," Morin said. Static security testing can also be informed by runtime intelligence to pinpoint what packages are executed inside the containers that run the application. "This enables developers to deprioritize vulnerabilities for unused packages and focus instead on fixing exploitable, running vulnerabilities. The goal of every cybersecurity program should be full lifecycle security," Morin added. Misconfiguration biggest culprit in cloud security incidents. While vulnerabilities are a concern, misconfigurations are still the biggest player in cloud security incidents and should be one of the greatest causes for concern in organizations. By 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020, according to Gartner. Data from Sysdig showed that only 10% of permissions granted to non-admin users were utilized when analyzed over a 90-day window. Sysdig's year-over-year analysis revealed that organizations are either granting access to more employees or maturing their Identity and Access Management practices. The growth in human user population may be a by-product of moving more business into cloud environments or ramping up staffing due to business growth, the cybersecurity firm noted. This year, 58% of identities on Sysdig customers' cloud environment were found to be non-human roles, down from 88% last year. Non-human roles are often used temporarily and if they are no longer used and are not removed, they provide easy access points for malicious actors. "Reason for the shift in types of roles could be that organizations' cloud use is growing and with the adoption, more employees are being granted cloud accesses, therefore shifting the balance of human and non-human roles," Morin said. More than 98% of permissions granted to non-human identities have not been used for at least 90 days. "Oftentimes, these unused permissions are granted to orphaned identities, such as expired test accounts or third-party accounts," Sysdig noted. Security teams should apply least privilege principles to non-human identities in the same way they manage human identities. Organizations need to grant the minimum access that a human needs to do the job. The same applies to non-humans, such as applications, cloud services or commercial tools that need access to do their job. These operate similar to how applications on cell phone that request permissions to access contacts, photos, camera, microphone, and more.
This Cyber News was published on www.csoonline.com. Publication date: Wed, 01 Feb 2023 13:10:02 +0000