Misconfigured Clouds Compromise 424% More Records in 2017

Insider mistakes like networked backup incidents and misconfigured cloud servers caused nearly 70% of all compromised records in 2017, according to new data from IBM X-Force. These types of incidents affected 424% more records last year than the year prior, they report.

It wasn't all bad news from the IBM X-Force Threat Intelligence Index, which pulls insights on data from millions of endpoints across hundreds of countries. Researchers found 2.9 billion records were reported breached, nearly 25% less than the 4B reported in 2016. Frequently targeted industries saw a decline in attacks (18%) and security incidents (22%) since 2016, a drop that can be primarily attributed to a decline in Shellshock attacks throughout 2017.

Hackers aren't slowing down but they are changing their strategies, researchers say, swapping data breaches for ransomware. Instead of compromising large amounts of data, they decided it was more lucrative to lock down data access and demand ransom in return.

"Attackers are pretty much following the money," says Paul Griswold, director of strategy and product management at IBM X-Force. The shift to ransomware "wasn't super surprising," he says, since ransomware can be more profitable than stealing data. This idea extends to attacks like WannaCry and NotPetya, where the goal was seemingly destruction, not financial gain.

"Chances are, those guys were being paid by somebody," says Griswold of these attacks. While they didn't profit from the ransomware directly, he anticipates the threat actors didn't launch global ransomware campaigns "just for fun." They still earned money for the attacks.

The most common class of attack vector between 2016-2017 was injection attacks, which accounted for 79% of malicious activty on enterprise networks - nearly double what it was last year. Researchers say the reason injection attacks increased is because both botnet-based command injection local file inclusion attacks and command injection attacks used embedded coin-mining tools.

Still Foggy on Cloud Configuration

Businesses struggle to properly configure cloud servers, and cybercriminals know it. Inadvertent mistakes are costing companies big-time as attackers discover and target misconfigured cloud environments, IBM researchers report, and poorly configured systems were responsible for exposing more than 2 billion records that X-Force tracked in 2017.

Cloud misconfigurations are split into three categories: misconfigured cloud databases, which caused 566.4M breached records, publicly accessible cloud storage (345.8M), and improperly secured rsync backups or open Internet-connected network area storage devices (393.4M).

"I think this just goes to show the inexperience in doing that," says Griswold of moving to the cloud. "Chances are with on-prem, people understand how the data is stored and how the server is configured because they're the ones who did it … with cloud, it's a little bit different."

Several teams, DevOps and operations for example, put pressure on businesses to move to the cloud. "There's a whole bunch of desire to move things up to the cloud, and that's where things might be rushed," he says. "It's a learning curve, definitely."

Companies can better secure their cloud environments by involving the security teams as they move workloads to the cloud; it can't be limited to dev and IT. Because misconfigurations are often easy to detect, it helps to regularly conduct pentests and app code scans.

Low Grades for Incident Response

"When organizations got breached, we found a lot of times the response plans just weren't in place," says Griswold, explaining how the rise in ransomware highlighted companies' inability to cope with attacks.

An IBM Security study conducted last year found slow response times lead to more expensive attacks. Incidents that took longer than 30 days to contain cost $1M more than those contained in less than 30 days, an added incentive for businesses to shape their response strategies.

Many companies don't have any sort of incident response plan at all, and many of those who do have outdated plans and/or don't know how to execute on them. "Just because you have a plan in place doesn't mean you're going to know the ins and outs of it," says Griswold.

Researchers anticipate destructive ransomworms will continue to spread in 2018, as well as wide-spread vulnerabilities and sophisticated exploits targeting the public and private sectors. As they build incident response plans, Griswold urges businesses to ensure both technical controls and PR processes are in place, and have both PR and law firms on retainer.

"You need to think about those legal aspects," he cautions.  

Related Content:

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.