How the Okta breach exposed organisations’ cybersecurity immaturity
May 2022 by Julia O’Toole of MyCena Security Solutions
In early March 2022, authentication security company Okta reported that there had been an attempt to compromise the account of a third-party customer support engineer from Sitel in January. The organisation released a statement claiming that the matter had been investigated and contained.
Okta CSO David Bradbury later admitted that up to 366 customers may have been breached, apologising for not notifying customers earlier. In the weeks since the attack, Okta has released a conflicting statement arguing that the attack affected just two customers, although this is perhaps naïve and hard to prove. Okta has said it recognises the broad toll this kind of compromise can have on customers, but there is little to suggest that the attackers aren’t already lying dormant inside the networks of further customers.
This breach came from hacking group Lapsus$, who garnered notoriety following a four-month spree of cyberattacks, leaking data from high-profile technology companies, including Nvidia, Samsung, Ubisoft and even Microsoft. What’s interesting about the gang’s approach is just how “low-tech” it has been. Its cybercriminals have successfully breached multinational corporations with millions invested in cybersecurity protocols with simple techniques like social engineering, password phishing, or simply paying employees for their credentials.
What is concerning is the ease and depth of penetration spanning from this single breach; the group claims to have obtained access to 95% of Okta’s 15,000 customers.
Incredibly, in its investigation, Mandiant reported that the group accessed a spreadsheet on Sitel’s internal network called “DomAdmins-LastPass.xlsx”, the file was supposedly a list of passwords for domain administrator accounts exported from a LastPass password manager.
Immaturity on a global scale
The fact that such simple methods potentially led to accessing thousands of sensitive files exposes the immaturity of organisations’ access control and cyber-resilience models. The reality is criminals don’t need to hack in, they log in, with nine out of ten breaches using a legitimate password.
When we moved from a physical to a digital world, people lost their bearings and security instincts, honed by our experiences in the physical world, and started mixing identity and access.
In the physical world, the difference is clear and straightforward in our everyday life. People use their identity to identify themselves for example when they cross a border or sit an exam.
People use access keys to open doors. Doors don’t recognise people and just open for them: no key means no access. People don’t remember and hammer their keys when their go home, they take their keys out and use them. In companies, managers hand access keys to employees when they join and take them back when they leave.
But in the digital world, things changed. People use their identity to open digital doors. Companies let their employees use their identity and make their own keys or passwords to open the company’s doors and access network, systems and data, giving away access control to their employees.
Having no control or visibility about how those digital keys are managed, companies can consider all the passwords compromised by default, which automatically exposes them to password phishing, unauthorised sharing, loss and fraud.
The threat of single access
In the physical world, people can see physical threats, recognise weapons and life-threatening situations and avoid high-risk situations. That’s why people don’t have a single key that can open their house, their car or their bank account, because if they know if they lose it, they lose everything at once. But in the digital world, people cannot see or feel digital risks such as malware, phishing, ransomware or single access. By using single access – password or identity – companies lose access segmentation, isolation, air-gapping and a multi-layered approach to security. Single access convenience means an “obstacle-less” access flow for criminals. Hence the common use of single access (SSO, IAM, PAM) has exacerbated the impact of any breach, by facilitating the jump from company to company in a supply-chain attack, as illustrated by Lapsus$ going from Sitel to Okta to Okta’s customers within a matter of hours.
Once inside a host network, criminals can scan and exfiltrate the most valuable data, destroy backups and deploy a ransomware payload. It accelerates lateral movement, privilege escalation and supply-chain attacks, depriving companies of any cyber-resilience.
The enduring problem of loss of access control and segmentation
For years, companies have claimed that breaches have stemmed from sophisticated attacks. But the reality is most breaches start with internal error or fraud. That’s why letting employees manage companies access is by far the most dangerous and serious threat to companies’ security. With so many breaches and errors still undiscovered, companies may not even know they are in danger until it’s too late. Their access may also have already been compromised through someone else who didn’t know that they’d been breached either.
This explains why the increase in cybersecurity budgets over the years has not improved cybersecurity, with frequency and impact of breaches getting worse over the years. Investing in technology to monitor and counter external threats or in post-crisis management has not solved the problem of the loss of access control and segmentation. A group of teenage hackers has simply brought to light the ineffectiveness of companies’ cybersecurity programmes.
Put access control at the heart of your cybersecurity strategy
It is therefore of vital importance for companies to put access control and segmentation at the heart of their security strategy. Companies who segment access across their entire digital infrastructure, and distribute strong, unique and encrypted keys to their employees remove the potential for unauthorised password sharing, theft or phishing. They also take back access risk management from the hands of their employees, who no longer need to create, remember or type passwords.
With system segmentation and unique strong passwords for each digital door, if one system is breached, for example in a supply-chain attack, that breach is contained. Without a single point of failure, the rest of the network stays safe, which limits what criminals can access and puts ransomware at bay.