CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
The US Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, after becoming aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture.
The false belief that "cloud equals more secure" is so pervasive that one of the largest cloud providers has an employee (a senior retired FBI agent) whose nearly full-time job is explaining to clients that the system images they bought from the cloud provider were "no more secure than the servers and desktops they bought from Best Buy." In a meeting in Washington, he told the other attendees his nickname at the company was "CAO." When asked what that meant, he said, "Chief Apology Officer." It takes skilled professionals to make cloud systems secure, though the cloud providers offer wonderful tools to enable clients to make their systems more secure. SANS has in-depth, up-to-date courses on how to use those tools (https://www.sans.org/blog/sans-cloud-security-curriculum/) and all three top cloud providers allow you to order system images preconfigured according to the Center for Internet Security configuration guidelines. https://www.cisecurity.org/blog/everything-you-need-to-know-about-cis-hardened-images/: Everything You Need to Know About CIS Hardened Images
The report includes great recommendations to improve cloud security. Make sure that you're adequately securing cloud environments; at a minimum make sure you're following the service's security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.
Poor configuration management, authentication, privilege management and secure configuration IT ops practices don't get better just because the application is now running in the cloud. Too often it just means that the wrong things can be done faster. None of CISA's recommendation are cloud-specific. Best approach is to focus on essential security practices on-premise, then extend to the cloud.
Read more in
Bleeping Computer: CISA: Hackers bypassed MFA to access cloud service accounts
Threatpost: Cloud Attacks Are Bypassing MFA, Feds Warn
Security Week: CISA Warns Organizations About Attacks on Cloud Services