Study reveals that known vulnerabilities, unsecured storage assets and failure to follow best practices is leading to an average cloud attack path of only three steps to reach an organization’s crown jewels

PORTLAND, OR – September 13th, 2022 – Orca Security, the cloud security innovation leader, today released the 2022 State of the Public Cloud Security Report, which provides important insights into the current state of public cloud security and where the most critical security gaps are found. One of the report’s key findings is that the average attack path is only 3 steps away from a crown jewel asset*, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.

The report, compiled by the Orca Research Pod, includes key findings from analyzing cloud workload and configuration data captured from billions of cloud assets on AWS, Azure and Google Cloud scanned by the Orca Cloud Security Platform from January 1st until July 1st, 2022. The report identifies where critical security gaps are still being found and provides recommendations on what steps organizations can take to reduce their attack surface and improve cloud security postures.

“The security of the public cloud not only depends on cloud platforms providing a safe cloud infrastructure, but also very much on the state of an organization’s workloads, configurations and identities in the cloud”, said Avi Shua, CEO and co-founder, of Orca Security. ”Our latest State of the Public Cloud Security report reveals that there is still much work to be done in this area, from unpatched vulnerabilities and overly permissive identities to storage assets being left wide open. It is important to remember, however, that organizations can never fix all risks in their environment. They simply don’t have the manpower to do this. Instead, organizations should work strategically and ensure that the risks that endanger the organization’s most critical assets are always addressed first”.

Report Key Findings

The Orca Security 2022 State of the Public Cloud Security Report finds that:

• Crown jewels are dangerously within reach: The average attack path only needs 3 steps to reach a crown jewel asset, which means an attacker only needs to find three connected and exploitable weaknesses in a cloud environment to exfiltrate data or hold an organization to ransom.
• Vulnerabilities are the top initial attack vector: 78% of identified attack paths use known vulnerabilities (CVEs) as an initial access attack vector, highlighting that organizations need to prioritize vulnerability patching even more.
• Basic security practices are not being followed: Many basic security measures such as Multi-Factor Authentication (MFA), least-privilege permissions, encryption, strong passwords, and port security are still not being applied consistently. For example, 42% granted administrative permissions to more than 50% of the organization’s users, 71% use the default service account in Google Cloud, and 7% have Internet-facing neglected assets (i.e. unsupported operating system or unpatched for 180+ days) with open ports 80, 443, 8080, 22, 3389 or 5900.
• Cloud-native services are being overlooked: Even though cloud-native services are easily spun up, they still require maintenance and proper configuration: 69% have at least one serverless function exposing secrets in the environment variable, 70% have a Kubernetes API server that is publicly accessible, and 16% of containers are in a neglected state (i.e. unsupported operating system or unpatched for 180+ days).

Additional Resources

• Download the full report
• Blog post announcement
• Orca Research Pod

About Orca Security

Orca Security is the industry-leading agentless Cloud Security Platform that identifies, prioritizes, and remediates risks. Orca Security connects to your environment in minutes with patent-pending SideScanning technology to provide complete coverage across vulnerabilities, malware, misconfigurations, lateral movement risks, weak and leaked passwords, and overly permissive identities. Founded in 2019, Orca Security is trusted by hundreds of customers globally, including Databricks, Autodesk, NCR, Gannett, and Robinhood. Connect your first account in minutes: https://orca.security or take the free cloud risk assessment.

*A ‘crown jewel’ asset includes sensitive data (such as PII or financials), credentials that allow root access, and other assets identified as business critical.