Apparently, all it takes is a crying baby to get access to anyone's mobile phone account. People are notoriously easy to manipulate. Through various forms of social engineering, hackers are increasingly finding ways to get access to your organisation’s data, and the ongoing move to public cloud makes that they don’t even need physical access to your premises anymore. They can do it from the comfort of their home. The result is a massive increase in security incidents in both size and frequency, and this problem looks set to stay unless businesses start to focus on distinct operational changes. They’re coming for your data, and they’re getting in through you.
Revolut, Mailchimp, Uber, Marriott, Okta and Twilio joined a long list of companies that have seen significant breaches through the targeting of identity credentials. Identity and multi-factor authentication has long been held as the ideal basic stage for security, creating an extra barrier to negotiate between an employee and a nefarious hacker. However, these approaches can fall foul of social engineering. The Twilio breach originated from SMS phishing messages requesting a sign-on through an attacker-controlled webpage, all of which appeared legitimate to employees, containing words applicable to the company’s security setup - including ‘Okta’ and ‘SSO’.
Okta was breached through a ‘subprocessor’ company used for customer support, allowing access to Okta’s apps and systems. This takes identity targeting and expands it to a company’s wider ecosystem, exploiting weaker defences and processes. A similar approach was previously used to attack Microsoft and Roblox.
A report by Verizon on breaches found that illegitimate use of credentials was responsible for 48% of breaches in 2021, an 11% increase from 4 years previous. Phishing was responsible for the largest proportion of these breaches.
With single sign-on, or SSO, users don’t need to remember their usernames and passwords for the plethora of applications needed for their daily tasks, anymore. Instead, they can use dedicated applications such as Active Directory and Google to authenticate themselves. Single sign-on makes authentication user-friendly and creates a tightly-interconnected web, bringing a personalised browsing experience without the hassle of creating and managing accounts across multiple services.
Ransomware has created many security issues over the past few years, however we will focus on the risk of data theft, particularly within your data warehouses.
Account compromise is still the largest problem the majority of online or public cloud products face. Cookie hijacking, whereby an attacker steals these login tokens, is now a close second.
The effect of obtaining these tokens quickly disseminates across a cloud portfolio. Attackers can use such tokens to gain access to user accounts on other services, never having obtained the original password.
Research from the University of Illinois stated, “User accounts in identity providers are now keys to the kingdom and pose a massive security risk.”
The real worry is that this ‘kingdom’ can be larger than many would expect. Software as a Service applications will fall into this bracket, with a company's tools such as Tableau, PowerBI, Snowflake able to be compromised in this way. The movement from on-prem to cloud has also broken down many of the ‘chinese walls’ that contained breaches of yesteryear, with large swathes of data immediately available once access is gained to data lakes and warehouses.
The use of active directory, widely adopted, makes it a worthwhile vector of attack for hackers, as the popularity of usage brings a positive return for finding weaknesses in a company’s cybersecurity.
Furthermore, poorly structured access controls can leave more access open than you might expect. Individuals who have accumulated roles, or roles that have not been updated despite structural changes, for example, can all have an effect on whether access controls
SSO can thereby expose a large proportion of your tech stack to the internet - especially if access to the data lake, database, BI tools and dashboards are included in your VPN access. Suddenly, cloud data is exposed through social engineering and the perimeter that was set isn’t there anymore. You have to assume that attackers are everywhere in your stack once you have a breach.
Multi-factor authentication and SSO are definitely both important, despite the advancement of social engineering practices to circumvent these techniques. Both lower the odds of experiencing data breaches when utilized properly. MFA in particular - or two factor authentication - adds extra information for verification in addition to a username and password. Google’s research from 2019 highlights its successes, showing that on-device MFA prompts sent to verify sign-in attempts stopped 100% of automated bots, 99% of bulk phishing attempts and 90% of targeted attacks.
MFA is not, unfortunately, the complete answer. MFA fatigue hacks, spamming individuals with repeat prompts and then acting as the IT department to suggest acceptance, have worked in the past.
As mentioned before, fake MFA pages have also fooled individuals - highlighting that the human element is still the most vulnerable factor. The difficulty here is that humans are required en masse as companies scale, thereby increasing the risk profile for social engineering.
Cloud computing developments have also meant that the accumulation of new identities for each individual’s access to an app, service or tool has continued to multiply this risk.
So how does a company keep control and mitigate their risk profile amid this growth? How can you protect the most sensitive assets?
Some answers to these questions are fairly obvious. Encryption, backing up data to avoid heavy impact from deletion during attacks is widely undertaken. Regular training is also habitually employed, although this may not always include up-to-date information, as courses may not include the latest techniques. Anomaly detection is, and will continue to be, a critical part of the cybersecurity playbook.
Data access management, especially in the time of multiple cloud products, is critical. This is why the top experts in data mesh recently talked about centralised access controls as the critical starting point for cloud-focused companies.
So what steps are on this access journey?
Reducing the scope of over-privileged users can be considered the first step along the road of controlling access. In the end, privileges are what give or take away access to any data. The more privileges that are given and not used, the larger the risk of a severe breach in the case of an attack. These privileges can form the new chinese walls of cloud environments - reducing, and critically containing, the radius of a successful attack.
The 2021 ransomware attack on Colonial Pipeline, which created fuel shortages and queues across south-east United States, came from one compromised VPN password for an account that had not been deactivated, despite no longer being in use.
This, unfortunately, is the proof of a preventable breach. Easy monitoring of access to data, ensuring that privileges are revoked as individuals move roles, gain or lose access to certain sections of data, and not giving bulk role access for ‘ease’ all contribute to reducing your risk.
Monitoring and updating access is made easier by a logical and helpful interface. IAM is notorious for being difficult to understand without extremely specialist knowledge, making scaling hard.
Having a solution that provides easily understandable reports on access and usage - alongside the ability to edit or suggest privilege changes and policy enforcement can be the difference between having consistent and securely controlled data access, and giving an attacker easy access to critical information.
The attacks on Roblox, Microsoft and Okta through ‘subprocessors’ could be avoided, or the fallout mitigated, if a single source of access ‘truth’ was shared or controlled between the organisations.
It is well understood that companies need help from such subprocessors for various roles. Many of these require access to financial data that has a high worth to hackers. Having a single source of information for data access and usage across a company and their subprocessors can reduce the risk held by such an ecosystem. Furthermore, it can enable a company the ability to track, trace or report on any breach that does happen from such a source - and understand what data might have been accessed and what regulatory steps are necessary to take.
Data breaches will continue to happen. Social engineering will likely continue to be a successful tool for attackers to gain entry into company’s networks. However, if individuals are over-privileged or roles are not kept up to date (in the case of Colonial Pipeline), then companies are opening themselves to risk.
Implementation of proper security processes, such as MFA, alongside a better approach and design for fine-grained data access management - including giving the ‘least privilege access’ for roles - can help mitigate the effect from attacks targeting identity credentials.