Cloud computing account compromises, resulting from stolen access keys and credentials, happen more often than we know. We are all familiar with notable, newsworthy reports of account compromises. But for every report of a massive breach (think DXC or OneLogin), there are numerous other examples that go unreported by the mainstream media.
Take, for instance, the case of security researcher @xKushagra who recently found a "gold mine” open credentials and API keys at Trello. He promptly tweeted about his find and went on to retweet when one of his followers confirmed the event.
Of course, last year we did see headline-worthy incidents such as the Uber breach. Hackers had accessed one of Uber’s private GitHub repositories where they discovered login credentials to Uber’s AWS account. They used these credentials to login into the AWS account and exfiltrate sensitive data on 57 million people.
Uber is by no means alone as far as compromised credentials go; the RedLock CSI team discovered an unprotected Kubernetes console that belonged to Tesla. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment. An examination of the environment revealed it contained an Amazon S3 bucket that had sensitive vehicle telemetry data. These organizations clearly didn’t follow AWS security best practices.
Such incidents prompted the RedLock CSI team to analyze trends around access hygiene. The findings indicate that we can expect this type of attack to increase in frequency in 2018.
The most alarming statistic was the fact that 73% of organizations are allowing the root user account to perform routine activities. This goes against security best practices and Amazon has strongly warned against this; administrators are advised to lock away root user access keys and create individual IAM users instead.
When the team examined organizations’ hygiene around access keys, they discovered that 40% of them had not been rotated in over 90 days. This is concerning because keys often tend to have overly permissive access than is necessary for the role which creates greater exposure. In the event of an account compromise, rotating access keys will ensure that the window of opportunity available to hackers is finite.
Further investigation by the RedLock CSI team determined that 16% of organizations have users whose accounts have potentially been compromised. In addition to closely managing access, organizations must also be vigilant about monitoring user activities within their public cloud environments to detect insider threats or account compromises.
To minimize the probability of an account compromise within your organization, the RedLock CSI recommends the following five security best practices:
Defending Against Account Compromise
We discussed the impact of compromised accounts (data theft, cryptojacking, ransomware attacks) and methods that attackers are using to compromise account credentials, as well as a demonstration of how the RedLock Cloud 360 platform can help secure your cloud environment.