Orca Security released the 2024 State of Cloud Security Report, which provides important insights into current and emerging cloud risks captured by the Orca Cloud Security Platform. Among the report's key findings is that 81% of organizations have public-facing neglected assets with open ports-prime targets for attackers who routinely perform reconnaissance to detect exposed ports and known vulnerabilities.

Compiled by the Orca Research Pod, the State of Cloud Security Report captures analyzed data from billions of cloud assets on AWS, Azure, Google Cloud, Oracle Cloud, and Alibaba Cloud scanned by the Orca Cloud Security Platform in 2023. Based on risks found in actual production environments, the report highlights the most common and significant cloud security risks and how these can be avoided.

"The past year has seen shrinking budgets and an unprecedented economic climate that's put cybersecurity defenders at a disadvantage," said Gil Geron, CEO and Co-founder of Orca Security. "As attackers become increasingly sophisticated by leveraging AI and new attack vectors, and with most organizations utilizing three or more cloud service providers, cloud environments have become more complex than ever before. Despite these challenges, security teams can stay one step ahead of their attackers, not by trying to address all risks, but by prioritizing and efficiently remediating the most critical risks that put their business critical assets at risk."

Report Key Findings

The Orca Security 2024 State of Cloud Security Report finds that:

• The vast majority of organizations have neglected assets that are wide open for attackers: Neglected assets, with an unsupported operating system or no patching for 180 days, are already vulnerable. Four out of five organizations have public-facing neglected assets with open ports, including the widely targeted ports 80, 443, 8080, 22, 3389 or 5900, making them prime targets for attackers.

• Misconfigured data storage leaves sensitive information vulnerable: 21% of organizations have at least one public-facing storage bucket with sensitive data that should not be publicly accessible. This increases the risk of data theft and extortion, ransomware, reputational damage, and regulatory penalties.

• Nearly two-thirds of organizations have severe vulnerabilities in their code: These vulnerabilities, with a CVSS score of higher than 7, exist in code that could imminently be pushed to production environments and cause data breaches, system compromises, and supply chain attacks.

• Exposed Kubernetes API servers are on the rise as adoption surges: 82% of organizations have a Kubernetes API server that is publicly accessible, marking a 12% increase from Orca Security's 2022 State of Public Cloud Security Report. While intentional public access exists for testing, the majority of publicly accessible API servers stem from misconfigurations.

• Stringent security protocols are needed for managing cloud-based AI models: Machine learning models built using cloud-based AI platforms like Amazon SageMaker are at risk, with 82% of SageMaker users having at least one notebook exposed to the internet where malicious actors can gain unauthorized access to proprietary code which could even lead to remote code execution.

• Basic security practices are still lacking: For example, 61% of organizations have a root user or account owner without Multi-Factor Authentication (MFA), inviting bad actors who can potentially try to obtain login credentials using dictionary and password spraying attacks. MFA adds an extra layer of authentication assurance beyond traditional credentials that is simple to implement and reduces the risk of unauthorized access.

"This report is a valuable resource for cloud security practitioners, DevSecOps, and others concerned with cloud security and speaks to the vulnerabilities that still plague corporate cloud infrastructures that need immediate attention," said Illena Armstrong, President at Cloud Security Alliance. "Undoubtedly, the report's findings should compel cybersecurity and cloud teams to review their own environments to address the especially worrisome gaps that are called out."