Virtually all security professionals believe that human error could put the security of cloud data at risk, according to new research published today.

A survey commissioned by Tripwire and carried out last month by Dimensional Research found that 93% of security professionals were concerned that human error could result in the accidental exposure of their cloud data.

Despite their concern over human error, 22% of those surveyed said that they assess their cloud security posture manually.

The survey evaluated the opinions of 310 security professionals on the implementation of cloud security best practices.

According to the research, a number of organizations experience difficulties in monitoring and securing their cloud environments. A majority of security professionals (76%) state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment.

Other findings were that security professionals tend not to keep tabs on their real-time cloud security situation. Only 21% of organizations were found to assess their overall cloud security posture in real time or near real time.

While 21% said they conduct weekly cloud security evaluations, 58% said they wait until a month or more has gone by.

Maintaining security was a challenge for most organizations, with only 22% saying that they are able to maintain continuous cloud security compliance over time.

“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, vice president of product management and strategy at Tripwire.

“Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.”

The amount of automation employed varied across cloud security best practices. While 51% use automated alerts with context for suspicious behavior, only 45% automatically assess new cloud assets as they are added to the environment.

A substantial proportion of second hand mobile phones are vulnerable to being hacked due to not being supported by important security updates, an investigation by Which? has found.

The analysis centered around three popular mobile phone retailers: SmartFoneStore, Music Magpie and CeX. The worst affected was CeX, where nearly a third (31%) of phones sold are no longer supported by security updates from manufacturers. For SmartFoneStore, 17% of models sold were unsupported, while for Music Magpie it was 20%.

This is providing cyber-criminals with opportunities to target older vulnerabilities in these devices.

Which? said that it presented the three companies with the findings, and since then SmartFoneStore has issued a warning on unsupported devices so people are aware before they buy them, while Music Magpie has removed all the affected devices from sale. However, it has not yet received a response from CeX.

Which? has advised that customers check the manufacturer’s security updates page to find out this information before purchasing a used phone.

Commenting on the findings, Jake Moore, cybersecurity specialist at ESET, said: “It may sound like a great deal to purchase an older and cheaper device, but unfortunately you can’t put a price on security.

“Older phones notoriously have a use-by-date when they are no longer supported by security patches. These devices will often still work as normal on the surface, but threat actors can use older vulnerabilities under the hood to target their victims with ease, so those at risk must be reminded to check which operating system it currently supports before purchasing.”

For phones operating off an Android operating system, there will typically be two years of operating system updates and three years of security updates. For Apple iPhones, system and security updates are usually packaged together and these will continue for an average of five to six  years.

The number of commodity malware campaigns exploiting machine identities doubled between 2018 and 2019, according to new research.

The rapid increase in this particular type of cyber-scourge was unearthed by threat analysts at Venafi, who gathered data on the misuse of machine identities by analyzing security incidents and third-party reports in the public domain.

Among the attacks encountered by Venafi’s Threat Intelligence Team were several high-profile campaigns, including TrickBot, Skidmap, Kerberods, and CryptoSink.

Overall, malware attacks utilizing machine identities were found to have grown eightfold during the last 10 years. Within the last five years, the number of attacks was found to have increased more rapidly.

The findings are part of an ongoing threat research program focused on mapping the security risks connected with unprotected machine identities.

Campaigns exploiting machine identities were once the preserve of large-scale cyber-criminal operations but are now being used in off-the-shelf malware, according to Yana Blachman, threat intelligence researcher at Venafi.

“In the past, machine identity capabilities were reserved for high-profile and nation-state actors, but today we’re seeing a ‘trickle-down’ effect,” said Blachman. “Machine identity capabilities have become commoditized and are being added to off-the-shelf malware, making it more sophisticated and harder to detect.”

Blachman said these deceptively simple campaigns are far more dangerous than they appear.

“Massive botnet campaigns abuse machine identities to get an initial foothold into a network and then move laterally to infect further targets,” said Blachman.

“In many recorded cases, bots download crypto-mining malware that hijacks a target’s resources and shuts down services. When successful, these seemingly simple and non-advanced attacks can inflict serious damage on an organization and its reputation.”

The millions of applications and billions of devices that exist in the world use machine identities made from cryptographic keys and digital certificates to authenticate themselves to each other so they can communicate securely.

“To protect our global economy, we need to provide machine identity management at machine speed and cloud scale,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“Every organization needs to ensure they have full visibility and comprehensive intelligence over every authorized machine they are using in order to defend themselves against the rising tide of attacks.”

Email account takeover (ATO) attacks often last for over a week and result from employees reusing passwords across multiple sites, according to new research from Barracuda Networks.

The security vendor teamed up with researchers at UC Berkeley to study the lifecycle of email ATO attacks, examining 159 compromised accounts across 111 organizations.

The study revealed that attacker dwell time for over a third of accounts was more than one week, emphasizing the importance of monitoring and threat removal tools to spot suspicious behavior post-compromise.

Interestingly, in a fifth (20%) of cases, compromised accounts featured in at least one previous password breach. This suggests that attackers are exploiting credential reuse to hijack accounts, either through credential stuffing or similar automated techniques, although phishing is still a popular way to obtain log-ins.

In the vast majority (93%) of ATO incidents studied, the attacker did not use the account to send out phishing emails, perhaps concerned that this would increase their chances of being exposed.

Barracuda speculated that instead, they could be using the accounts to launch conversation hijacking attacks, or that they had simply performed ATO in order to sell the account to another cyber-criminal.

Supporting the second theory is the fact that, in 31% of cases, accounts are compromised by one actor and then used by a different player to mine for information, or monetized in another way.

This again emphasizes the importance of rapid intrusion detection and response, the report claimed.

A single actor compromised and utilized accounts in 51% of cases.

Attackers are most likely to use hijacked email accounts to go after email-related Office 365 applications (78%). Of the remaining 22% cases, the majority (17%) featured attempts to access SharePoint for sensitive documents.