With businesses around the globe—especially in the United States, Canada, and Western Europe—bracing for potential cyber-attacks orchestrated by Russia or its hackers, a leading cyber security firm is warning most software upgrades are not adequately addressing the most vulnerable component of the “modern cyber-attack surface.”
Most business security policies and resilience upgrades are focused on physical infrastructure, such as PCs, smartphones, routers, and IoT (Internet of Things) devices, but the vast majority of organizations’ assets and security susceptibilities are now in the cloud, according to a recently published study by JupiterOne.
The study, the 2022 State of Cyber Assets Report, analyzed 372 million data points at nearly 1,300 organizations to assess the security of their cloud workloads, networks, apps, data, and connected devices now part of their “cyber asset universe.”
“Enterprises that are adopting the cloud in a rapid fashion are seeing the most explosive level of growth in their cyber asset quantity and, thus, their attack surface,” JupiterOne chief marketing officer Tyler Shields told The Epoch Times on March 23.
The Morrisville, North Carolina-based company, recently named a “2021 Start-up of the Year” by the Business Intelligence Group’s BIG Awards for Business, maintains “traditional approaches to IT asset inventory do not capture the largest percentage of attack surface” and must be remedied to do so.
According to the study, 97 percent of “security findings”—potential security issues—were generated within cloud assets, such as applications, hosts, and containers.
Nearly 90 percent of all information technology assets are now cloud-based, JupiterOne’s report notes.
Physical devices—PCs, smartphones, routers, IoT—represent less than 10 percent of total devices within organizations, generating only about 3 percent of security findings, according to the report, but get the bulk of attention in cyber security upgrades.
Cloud-specific policies, on the other hand, constitute only 28.8 percent of cyber security policies across the 1,300 businesses analyzed, JupiterOne said in its report.
“Shifts towards cloud-native development, micro-services, and scale-out architecture have profoundly impacted security teams, who are overworked, understaffed, underskilled, and navigate an average backlog of over 120,000 security findings,” said JupiterOne field security director Jasmine Henry, lead author of the report.
“Enterprise asset inventories have changed significantly, and for the first time in history, assets are not necessarily deployed by humans,” she continued in a statement accompanying the report. “The landscape demands new, automated approaches to attack surface management.”
“During the pandemic, businesses turned to cloud technologies to support the surge in remote work and maintain some semblance of normalcy in business operations,” added JupiterOne chief information security officer and head of research Sounil Yu in the statement.
“Unfortunately, the rapid digital transformation also resulted in new entry points for cyber-attacks by malicious threat actors.”
JupiterOne’s research “shines a light on the sheer volume of cyber assets in today’s landscape and serves as a warning to business leaders and security professionals to take better stock of their assets so that they can understand the risk implications from their expanded attack surface,” Yu said.
Henry said while IT security professionals understand how large their cloud inventory is and its potential vulnerabilities until JupterOne’s study there was little data available to explain to “non-technical executives” how the expansion has created security concerns.
Among primary concerns is “third-party code risk,” according to the report, noting 91.3 percent of code assets in the average organization are developed by a vendor or third party and is a growing supply chain vulnerability.
“The major cybersecurity headlines last year included some terrifying software supply chain vulnerabilities from enterprise sources like SolarWinds and open-source software like Log4j,” Henry said.
“In fact, software supply chain security became nearly unmanageable for security teams in 2021, and the state of cyber assets in 2022 shows why.”
“JupiterOne is focused on helping our customers understand their cyber asset universe and as such get a grip on the security of those assets,” Shields said.
“We put the research out there for others to understand the potential risk that comes with the rapid growth of their asset count.”
The report maintains developers should rapidly decommission and reboot cloud assets, and shift security conversations toward analytics, visualization, and automation.
Shields said to do this sooner rather than later.
“The potential for Russian cyber-attack is real,” he said.
“The revelation of the amount of attack surface available with the rapidly expanding asset count in enterprises doesn’t change that risk, but it does expose what some potential areas of target may be.”