Canadian organizations are laggards when it comes to protecting one of the biggest vulnerabilities in IT security, according to a new cloud threat report this week from Palo Alto Networks.
Among the organizations in Canada detected on the internet, 70 per cent of them left Windows’ Remote Desktop Protocol (port 3389) unprotected, the highest among 10 countries surveyed.
By comparison, 38 per cent of detected organizations in Japan left RDP open, 50 per cent in the U.K. and 51 per cent in the U.S. The average for the group was 51 per cent.
“That’s significant because it [RDP] is one of the most popular threat vectors for attackers,” Matt Chiodi, CSO for Palo Alto’s public cloud solutions, said in an interview.
And, he added, exploiting RDP is a primary way ransomware is deployed.
The reason for this and other configuration mistakes is the lack of security automation, he said. “Any time you have a big jump in cloud workloads without automation it will almost always lead to a dramatic growth in security incidents.”
Chiodi couldn’t say how many Canadian firms were detected., only that if the number wasn’t statistically valid it wouldn’t have been included in the report.
Leaving RDP open and other sloppy mistakes are one reason why cloud security incidents increased by what the report calls “an astounding” 188 per cent in the second quarter of 2020.
The Cloud Threat H1 2021 report*, from the company’s Unit 42 threat intelligence division, is aimed at showing how the rush to the cloud forced by the COVID-19 pandemic. [*Registration required]
It looked at hundreds of cloud accounts around the world between October 2019 and February of this year and found a huge increase in the number of security risks such as unencrypted data and insecure port configuration compared to the months previous.
Findings include:
- A 212 per cent increase in the number of SQL databases with encryption disabled.
- A 149 per cent increase in the number of unencrypted database snapshots.
- A 122 per cent increase in the number of firewall rules that allowed all traffic to Kubernetes clusters.
- A 68 per cent increase in the number of data instances exposed to the internet.
- A 62 per cent increase in the number of network security groups that allow all traffic over Microsoft SMB (TCP port 445).
This and other incidents “underline the failure of most organizations to scale cloud governance and security automation at the same rate that they scaled their cloud workloads,” the report says. “Many of these misconfigurations can be addressed through the use of infrastructure as code (IaC) templates. As we’ve noted in previous reports, IaC templates, when consistently scanned for common security vulnerabilities, help secure cloud infrastructure from development through production.”
For example, the report argues that failing to encrypt SQL and relational databases is a mistake that can be easily identified and corrected by automatically auditing cloud environments for signs of misconfigurations.
The report says Unit 42 research indicates that as the pandemic raged, teams were either not using IaC at all or simply failing to scan templates for common security vulnerabilities.
“Otherwise, they would not have been making mistakes such as failing to encrypt potentially sensitive data or enable logging, which is a critical feature for security monitoring and auditing in cloud environments,” it read.
Among the report’s recommendations, companies operating in the cloud should:
- Increase visibility into how developers and business teams are using the cloud;
- Set security guardrails (what shouldn’t be permitted). Then use IaC templates as an extra way to enforce those rules;
- Adopt and enforce standards, such as benchmarks set by the Center for Internet Security;
- Train and hire security engineers who code, because they know how to leverage APIs;
- Embed security in DevOps