The world of security is a constant chase. Remember when a strong castle wall, our network perimeter, kept the bad guys out and everything inside safe? Those days are long gone. The rise of cloud computing, mobile devices, and the ever-expanding Internet of Things (IoT) has shattered that perimeter into a million pieces.
This shift in landscape is forcing security to adapt. We are no longer guarding the castle gates but instead securing every doorway, the endpoints accessing our data. Forget the moat and the drawbridge; in today’s digital world, identity and the privileges associated with it are the keys to the kingdom. As a result of this critical evolution, emphasis has now shifted to the pivotal role of identity in creating secure environments and bolstering existing endpoint security strategies.
Continuous verification of both user and device identities enables organisations to achieve security. This is essential, particularly in light of cybercrime statistics.
According to the Singapore Police Force’s annual scam and cybercrime report, scams and cybercrime continue to be a key concern. In 2023, the number of reported scam and cybercrime cases rose by 49.6% to 50,376, compared to 33,669 cases in 2022. Despite this surge in cases, the total amount lost experienced a slight decline of 1.3% to SG$651.8 million in 2023, down from SG$660.7 million in 2022. This marks the first decrease in the total amount lost to scams in the past five years, although it remains notably substantial.
Not hacking in, logging in
As a testament to the ongoing cat-and-mouse nature of security, cybercriminals continue to demonstrate their ability to evolve. Rather than launching brute-force attacks in an attempt to gain access to systems, they are now focused on obtaining valid identity credentials.
Cybercriminals with such access could change the credentials of other authorised users or create fake identities that can later be used to gain additional access to resources. The consequences for an attacked organisation can be widespread disruption and losses.
The Okta support desk attack
An example of an identity-based attack was experienced by corporate authentication company, Okta. In late 2023, attackers gained access to Okta’s customer support systems.
In their public announcement on 20 October 2023, Okta stated that an attacker had gained unauthorised access to the customer support system by leveraging stolen login credentials, obtained through an employee’s compromised personal Google account.
By leveraging those stolen credentials, the attacker was able to hijack an Okta service account that had customer support system access, giving them access to files belonging to 134 customers who had used the Okta customer support system. Among these files was the browser recording (HAR) file that was then used in an attempt to gain access to several customer environments.
The concerning thing about this attack is that it directly involved the identity fabric of the company. It did not require any sort of brute-force attack or the installation of malware on devices.
Security best practices in an identity-focused world
In light of attacks such as the one conducted against Okta, it is vital that organisations carefully review the security measures they have in place.
Key steps should be followed to ensure that identity credentials are secure and user authorisations are appropriate. The steps include:
- Deploying 2FA and MFA: Two-factor authentication (2FA) and multi-factor authentication (MFA) are powerful tools that can significantly improve the overall identity-based security of an organisation. While it’s not infallible — as the Okta exploit demonstrated — it creates a significant barrier for cybercriminals keen to gain access. It’s also important that 2FA and MFA be rolled out for all users, not just those who have higher levels of access. Often, cybercriminals who gain access via a standard user’s credentials are then able to move laterally through an infrastructure and gain access to significant resources.
- Reviewing admin access rights: The credentials of users with admin rights are highly prized by cybercriminals as they can deliver unfettered access to an IT infrastructure. For this reason, it is important to limit admin rights to only those users who actually require it.
- Monitoring for over-privileged users: While monitoring admin rights is vital, it’s also important to ensure that all users only have access to the resources they require to undertake their assigned roles. People change positions regularly so checking that their credentials are still aligned with their responsibilities is important.
- Monitoring your identity fabric: It’s also important to monitor and manage your organisation’s identity fabric. This includes closing dormant accounts and ensuring all users are legitimate.
The examples above serve as stark reminders: cyberthreats constantly evolve. While these steps can significantly bolster an organisation’s defences, vigilance remains paramount. By prioritising identity security and staying informed about emerging threats, organisations can stay ahead of the curve and build a resilient security ecosystem.
