Threat Stack, the leader in cloud-native security and compliance management, today announced the findings of an analysis of more than 200 companies using AWS that revealed nearly three-quarters have at least one critical security misconfiguration, such as remote SSH open to the entire internet. Configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or could be used to mask criminal activity from monitoring technologies are deemed “critical” by Threat Stack.
The analysis found a surprising number of well-documented security misconfigurations. Among the most egregious were AWS Security Groups configured to leave SSH wide open to the internet in 73% of the companies analyzed. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions. Additionally, the well-recognized best practice of requiring multi-factor authentication for AWS users was not being followed by 62% of companies analyzed, making brute force attacks that much simpler. Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.
“The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users,” said Sam Bisbee, CTO, Threat Stack. “Despite years of education from AWS and their technology partners in the industry, not to mention the prevalence of automated security checks, a majority of users are still not configuring their cloud environments securely. Hopefully, this data will serve as a wakeup call.”
While these cloud security best practices are relatively simple to fix, Threat Stack identified a more complex concern. Data collected by Threat Stack going back to September of 2016 showed that fewer than 13% of the companies analyzed were keeping software updates current. In addition, despite the “spin up/down” intrigue of the cloud, the majority of those unpatched systems are kept online indefinitely, some more than three years. When combined with the AWS misconfigurations and weak remote administration, it becomes clear that companies need to focus on fundamental hygiene immediately.
Threat Stack CTO Sam Bisbee will present these findings and more during the AWS San Francisco Summit in a session on AWS security trends, analysis and best practices on Tuesday, April 18, at 12:00 pm PST, in Moscone West, Level 3.
To help identify these types of AWS misconfigurations that can easily be missed, Threat Stack offers a free Threat Stack Audit trial to help score customers’ environments against AWS security best practices and provide steps for improvement.
About Threat Stack
Threat Stack enables growth-driven companies to scale with confidence by identifying and verifying insider threats, external attacks and data loss in real-time. The only fully integrated, cloud-native security platform that gives customers instant visibility and automatically responds to changes in their environment throughout the stages of their cloud security maturity, from auditing their environment, to continuous monitoring and alerting, to investigation and analysis.Threat Stack provides the coverage needed to run secure and compliant, in all environments, without sacrificing speed and efficiency. For more information, or to start a free trial, visit threatstack.com.