Editor’s note: On Halloween, what better time to reflect on what have been some of the spookiest cybersecurity incidents of the year? See below for analysis of some of the year’s most significant cyber incidents from industry experts Aaron Turner and Shannon Lietz, and find additional cybersecurity insights and resources from ISACA here.
While technically spanning both 2022 and 2023, the LastPass incident impacted a large segment of the security community due to the adoption of its services for password generation and vaulting. The terrifying aspect of the LastPass incident for me was the fact that the adversary in that case was so patient, and instead of focusing on attacking enterprise-managed resources to get a foothold to gain access to cloud storage keys, their kill chain actually started with a home network that had an open port with a vulnerable media server configured on it.
How many enterprise security teams are monitoring the integrity of their privileged users’ home network configurations? Based upon the success of the LastPass incident and several others that I have helped to clean up with IANS Research Decision Support Customers, I believe it is now time to move toward policies for any user who has elevated privileges in cloud environments to follow much more disciplined operating procedures. For example:
- Recommend to privileged cloud users that they configure a completely isolated work network from any home IoT or other un-managed systems with remotely exploitable vulnerabilities, and assure them that at no point has the isolated network published any network ports open to the internet.
- Force a daily update and reset for all browsers used by privileged cloud users.
- Configure cloud-based privileged access workstations, which are built from scratch on a per-session basis, and set network policy restrictions that cloud privileged users can only use those virtual workstations for cloud IaaS/PaaS/SaaS administration.
- Require the use of hardware FIDO2 tokens for all MFA operations for the use of a privileged identity in a cloud environment.
The String of Okta Incidents
It’s been a rough year for all identity providers—from JumpCloud’s key integrity problems to Microsoft’s Storm signing key incident to all of the problems that Okta customers have seen. On IANS Ask an Expert calls, I have fielded questions like, “How can we reduce the risk of these Okta incidents?” I think it is incredibly important for everyone to realize that identity is the control plane that matters in a post-on-prem-firewall world. If a user’s digital identity is the equivalent to the new perimeter in our evolving security architectures, then we need to make sure that identity supply chains are as clean and simple as possible. For example, organizations that are using Microsoft 365 services for messaging and collaboration have access to Microsoft Entra’s single sign on and federated identity capabilities. In fact, the NSA published guidance three years ago that clearly outlined that organizations using M365 should not use any third-party identity provider in allowing user access to those cloud services—not even allowing federation to on-premises, legacy Active Directory forests or relying on ADFS for synchronization.
If an organization must use Okta for identity management, then it is critical that the connections between legacy directories and cloud federated platforms be monitored in a hyper-vigilant way. The same recommendation would hold true in that any identity add-on (such as Duo for MFA) should be eliminated, and the Okta identity supply chain should be simplified to reduce the overall attack surface that is available to compromise an Okta-provisioned identity.
We as a security community need to help each other learn from the hard lessons of the last year, and sometimes that means making difficult decisions that fundamentally impact the user experience of standard users and privileged administrators. As long as we can articulate the value proposition for these changes, we can hopefully motivate users to go on this evolving digital identity journey together.
Rapid Reset Vulnerability
A recent discovery, the Rapid Reset vulnerability, demonstrates the challenges in using CVSS to evaluate a critical vulnerability. At 7.5 out of 10, this vulnerability (CVE-2023-44487) may actually be more critical than is being communicated. As a potential for availability outages, this denial of service vulnerability is critical and demonstrates the challenge of a zero-day vulnerability requiring weeks to patch across myriad technologies throughout the industry.
Often, software manufacturers are learning about these vulnerabilities in the news versus having a mechanism to better understand critical industry-wide vulnerabilities. More importantly, when these vulnerabilities exist at the protocol level, they demonstrate a miss in testing coverage. Organizations commonly ask, “Should we be concerned?” The answer to this question is often determined as a result of adversary profiling and evaluating the risk posture of an organization.
MOVEit Hack
While Progress Software quickly provided a patch for a MOVEit zero day/SQL injection vulnerability (CVE-2023-34362) found in their file transfer software, the damage had already been done. The Clop ransomware gang had been using the software to loot companies of their data and send ransom notices to negotiate before releasing the data to the dark web.
This was an unfortunate incident, because it demonstrates several critical issues that need to improve across the industry. In particular, while companies choose commercial vendors to support their needs, a layered defense, in-depth security architecture is still needed to ensure safe capabilities. During vendor evaluation, buyers would be better served to understand installation and maintenance requirements as part of total cost of ownership, with security control needs identified.
Additionally, third-party patch management velocity needs to improve to keep up with adversary capabilities. Organizations commonly ask, “How can we ensure better controls for third-party software?” The answer to this question is often determined by solution placement as well as required hardening. Third-party software brings with it the potential for new adversaries that need to be considered as part of an organization’s risk posture.