Google is reporting that weak passwords accounted for almost half of security breaches affecting Google Cloud customers. Google is seeing nation state actors finding success exploiting “weak identity verification practices” according to Chris Porter, head of threat intelligence for Google Cloud “The percentage that’s a software issue or a zero-day, you know, it’s not zero, but it goes down and down and down. That’s a trend we generally expect to continue,” Porter said.
Google reports that compromise of API’s to gain permissions into a company systems is the second most common avenue of attack on their cloud systems and accounted for nearly one fifth of all reported incidents. They point out that ransomware attacks in the cloud, threatening to release stolen data, have become common events.
I have three comments on this. The first is from Willy Leichter, VP, Cyware:
“This report seems depressingly familiar, that our oldest security problems – poor password practices and leaked API credentials, lead to the majority of attacks. But we must move beyond our typical response – trying to train and cajole end-users to be more careful. We need to assume that users will be careless, design better defense-in-depth, and leverage the explosion of AI tools to detect poor security practices, and advanced attacks that will always find weak points to exploit.”
The next is from Roy Akerman, Co-Founder & CEO, Rezonate:
“This confirms the same exact information we have seen for the past decade. Identity was and remains the biggest risk, and the true “zero-day”, organization must address with priority. Current identity security approaches are fragmented across many tools and teams and does not fit today’s reality of a constantly changing infrastructure. Identity security hasn’t evolved for the past decade for the purpose of detecting identity exploitation. We were too busy managing and allowing access vs monitoring and detecting unauthorized access behaviors and a true end-to-end view across all stages of the identity lifecycle.”
The final comment is from George McGregor, VP, Approov:
“The combination of weak passwords and careless API key management is a dangerous cocktail which opens up APIs as an attack surface for hackers. Better discipline in general is of course important, but developers should also put in place runtime solutions to prevent stolen keys being exploited. This can be done effectively by using app and device attestation combined with secret management solutions which allow keys to be rotated immediately if compromised or changed.”
This is depressing and hopefully this report from Google serves as a wake up call to do better on the security front. Because we live in a time where not doing better will end badly more often than not.
Like this:
Like Loading...
Related
This entry was posted on April 15, 2023 at 8:12 am and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Google Report Highlights Weak Passwords Account For Almost Half Of Security Breaches…. Yikes!
Google is reporting that weak passwords accounted for almost half of security breaches affecting Google Cloud customers. Google is seeing nation state actors finding success exploiting “weak identity verification practices” according to Chris Porter, head of threat intelligence for Google Cloud “The percentage that’s a software issue or a zero-day, you know, it’s not zero, but it goes down and down and down. That’s a trend we generally expect to continue,” Porter said.
Google reports that compromise of API’s to gain permissions into a company systems is the second most common avenue of attack on their cloud systems and accounted for nearly one fifth of all reported incidents. They point out that ransomware attacks in the cloud, threatening to release stolen data, have become common events.
I have three comments on this. The first is from Willy Leichter, VP, Cyware:
“This report seems depressingly familiar, that our oldest security problems – poor password practices and leaked API credentials, lead to the majority of attacks. But we must move beyond our typical response – trying to train and cajole end-users to be more careful. We need to assume that users will be careless, design better defense-in-depth, and leverage the explosion of AI tools to detect poor security practices, and advanced attacks that will always find weak points to exploit.”
The next is from Roy Akerman, Co-Founder & CEO, Rezonate:
“This confirms the same exact information we have seen for the past decade. Identity was and remains the biggest risk, and the true “zero-day”, organization must address with priority. Current identity security approaches are fragmented across many tools and teams and does not fit today’s reality of a constantly changing infrastructure. Identity security hasn’t evolved for the past decade for the purpose of detecting identity exploitation. We were too busy managing and allowing access vs monitoring and detecting unauthorized access behaviors and a true end-to-end view across all stages of the identity lifecycle.”
The final comment is from George McGregor, VP, Approov:
“The combination of weak passwords and careless API key management is a dangerous cocktail which opens up APIs as an attack surface for hackers. Better discipline in general is of course important, but developers should also put in place runtime solutions to prevent stolen keys being exploited. This can be done effectively by using app and device attestation combined with secret management solutions which allow keys to be rotated immediately if compromised or changed.”
This is depressing and hopefully this report from Google serves as a wake up call to do better on the security front. Because we live in a time where not doing better will end badly more often than not.
Share this:
Like this:
Related
This entry was posted on April 15, 2023 at 8:12 am and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.