With the continued drumbeat of data breaches, security is front and center in every board room. Combined with rapid adoption of cloud and mobile, Cloud Access Security Brokers (CASB) as Gartner calls them, are all the rage. But before you rush out to install a CASB, you might want to read this.
Last month, we looked at a CASB vendor who had patented a phishing attack by proxying SSO credentials - United States Patent 9,137,131. Let's call them CASB Vendor A. In that same blog post, we wondered why anybody would implement such a patent as it exposes the customer to explosive and chronic phishing risk. Phishing is the leading cause of data breaches and was the cause of the Anthem breach, the Premera Breach, the JPMorgan breach etc. Data breaches caused by phishing are also the most difficult to detect, since the hacker gets insider credentials and goes about exfiltrating data unnoticed for months if not years.
To our astonishment, CASB Vendor B implemented the teachings of the above patent and a major retailer of office supplies deployed that implementation. We discussed the hazards of that deployment in a blog post entitled "And the Next Major Data Breach is..." Since that blog post, we received inquiries from a number of customers with questions seeking clarification. Here, we share some of those questions and our answers.
Question 1: How long does it take for a hacker to exploit such a phishing vulnerability?
Answer: Known vulnerabilities are typically exploited within a few minutes of availability. Once in, the hacker has ample time to explore and exfiltrate data. The average breach currently lasts about 8 months before detection.
Question 2: We have a hundred thousand employees. Which of them is most likely to be phished?
Answer: Executives often fall for phishing attacks first as they receive a large volume of email and have less time to scan each for authenticity.
Question 3: How can a phishing attack become a data breach?
Answer: Once the hacker has the credentials for one insider, he would then impersonate that user to phish additional users. Since these secondary phishing emails appear to be internal emails, they are very hard to detect and enjoy rapid success at phishing additional users. Once the hacker gets credentials for a senior IT employee, the hacker proceeds to explore internal assets looking for data to exfiltrate.
Question 4: Our internal assets are protected with two-factor authentication. Can that prevent a phishing attack from turning into a data breach?
Two-factor authentication on internal servers definitely helps. Yet, in the case of the JPMorgan breach, the hacker found an internal server that had two-factor authentication inadvertently turned off, enabling him to exfiltrate large quantities of data unnoticed. That breach caused havoc on JPMorgan customers. In fact, one engineer at Bitglass, who had an account with JPMorgan, had his identity stolen entirely, resulting in a substantial and fraudulent charge of a downpayment towards the purchase of a condominium in Thailand.
Question 5: We use a CASB only for API analysis. Should we be concerned?
API analysis requires you provide your CASB an Oauth token for access to all your assets in the cloud. The secure storage of that token via best practices and security standards is very important. If your CASB vendor uses proprietary security architecture at a proprietary data center, you should definitely be concerned.
Question 6: We upload proxy logs to a CASB for "Shadow IT discovery." Should we be concerned?
Proxy logs include information regarding the cloud applications your employees use. For example, employees using on an unsanctioned file-sharing application for work will use their corporate credentials to login to that application. Knowing the applications used by your users makes it easier for hackers to phish them. If your CASB vendor uses proprietary security architecture at a proprietary data center, you should definitely be concerned.
Security standards are built around the collective wisdom of security professionals driving transparency and best practices. If your CASB vendor operates on a proprietary data center with a proprietary architecture, you should be asking tough questions about how the CASB operates, how it handles user credentials, provenance of the data center, certifications, security audits, is your data processed on encrypted volumes, key management and more.