Heartbleed struck fear into website operators and security professionals alike with the realization that a central internet infrastructure was vulnerable. The naming of Cloudbleed, a new vulnerability discovered by Google researchers, attempts to draw a parallel with the catastrophic internet exploit. In analyzing the impact of Cloudbleed we find that while it certainly has serious implications for enterprises, what perhaps is more interesting are the the unique capabilities of cloud services to recover and mitigate vulnerabilities much faster than traditional on-premises IT systems.
An overview of Cloudbleed is here.
The Numbers Behind Cloudbleed
We analyzed data from over 30 million enterprise users and found wide exposure to vulnerable services. 99.7 percent of companies have at least one employee that used a CloudBleed vulnerable cloud application. This means hackers could have stolen user passwords for these cloud applications. Attackers may even have access to session keys exposed while a session is live.
There is one caveat to the narrative of widespread vulnerability of cloud services: Low-risk, Enterprise-Ready cloud applications actually weathered the Cloudbleed storm with remarkable success. Out of 128 Enterprise-Ready applications, only four were vulnerable to Cloudbleed. We know that IT professionals trust the cloud just as much, if not more than on-premises software. In this case, the security investments of the top enterprise cloud applications have widely excluded this group from Cloudbleed’s fallout.
Enterprise IT security teams should reset affected users’ passwords. Skyhigh customers can audit their own exposure from the Cloud Access Security Broker dashboard. For more information or to schedule a conversation with a technical specialist, please send a note to Resources@skyhighnetworks.com. There is still the risk that credentials stolen from less secure services can be successfully repurposed to access unaffected applications; research shows users reuse passwords over 40 percent of the time. For this reason, companies should always implement adaptive authentication, which enforces multi-factor authentication, reducing the collateral damage of a stolen credential.
As enterprises advance the maturity of their cloud security, they educate employees that different cloud services pose different risks and coach them to use low-risk, enterprise-ready sanctioned applications in favor of high-risk alternatives. Cloudbleed only reaffirms the importance of taking a risk-based approach to cloud security and governance. By default, cloud use at work is the Wild West. Cloudbleed will not be the last vulnerability discovered that widely affects cloud services. With a proactive cloud governance strategy, companies can mitigate almost all of the risk posed by future vulnerabilities that target cloud applications.
What You Can Do
The greatest direct risk to enterprises is if their users have reused names and passwords between services – where credentials from the the affected cloud services or web sites can then be used to access other services. The thing many users forget is that password reuse over a ong period allows a hacker who finds a password from a long-forgotten service and try to reuse it on other services today.
This web page has a list of web sites that may have been compromised, including Uber, Medium, and OKCupid. We recommend that enterprise IT staff email all of their employees to inform them of the risk and get them to change any passwords that have been reused between services so that each password is unique.
For corporate services and sanctioned cloud services we recommend that the company implements two factor authentication and forces cloud access to pass through a Cloud Access Security Broker implemented together with a cloud based two factor authentication service.
We will host a webinar this week where we will review the direct actions and how you can view all cloud services in your organization and implement threat protection for cloud apps to expose unauthorized account utilization.
With Cloud, Nothing Was the Same
With typical software vulnerabilities, the battle rages long after their disclosure. A Gartner expert predicted that 99% of vulnerabilities exploited will have been known for at least 12 months. In other words, vulnerabilities will come, but the true difficulty and danger lies in patching. The agility of cloud services completely changes the landscape for exploits. One of the unique benefits of cloud services is the rapid deployment of updated software to all users. Cloudflare mitigated the vulnerability within 47 minutes of its disclosure and finished deploying a fix in under seven hours. This timeline is a night and day difference from the months and even years of fallout that come with a traditional software vulnerability.
No software is infallible. Cloudbleed is a reminder that risk-based security and rapid response can make a “catastrophic” vulnerability manageable.