It is common knowledge that the Hippocratic oath of medicine taken by all healthcare professionals includes a form of the statement "foremost, do no harm." Or, in latin, "primum non nocere."It is just too bad that cyber security professionals do not adhere to such an oath.
A large retailer specializing in office supplies migrated to Office365 earlier this year. As part of that migration, they decided to acquire and deploy a solution for securing cloud access, what Gartner calls a "CASB or Cloud Access Security Broker." Unfortunately for that retailer, their IT team is stretched thin. So they tested a single vendor and went ahead and deployed the solution. As it turned out, the cure is worse than the disease, leaving the retailer in a state of explosive and chronic phishing risk. Phishing this retailer is as easy as shooting fish in a barrel. Here is why.
When you go to Office365 and attempt to login as a user at that retailer, the CASB proxy takes you to a single-sign-on page that is hosted at a completely random domain. This eviscerates the security of Single-Sign-On, which is predicated on the user entering his credentials only into a trusted identity provider domain. When users are required to enter their corporate credentials into weird sites that are untrusted and disconnected from the normal sphere of trust, users stop caring. Users will definitely not enter their personal bank credentials into weird domains, but are happy to enter their work credentials if their employer requires they do so. As a result, a phishing email sent to any user at the retailer with a link to a replica of the login page, will cause the user to promptly cough up their corporate credentials. Of course, any well-crafted phishing attack would store a copy of these credentials and then pass the user on to a successful login of the application so that the breach is hard to detect for long periods of time. Furthermore, once users are trained not to care where they enter their corporate credentials, it is very hard to untrain them. Suddenly, we have every user at this retailer ripe for phishing for years to come, leading to explosive and chronic risk.
Phishing is the leading cause of recent high-profile breaches. Since phishing grants the hacker insider access, it is also very difficult to detect. Both the Anthem Breach and the Premera breach were caused by targeted phishing schemes, where hackers created sites replicating company login pages. In both cases, the hackers had to bait many users with pages hosted at misspelt corporate domains before success. The JPMorgan breach was a case of untargeted phishing, where employees unwittingly used their corporate credentials to login to a compromised third party site offering extramural activities sponsored by JPMorgan.
In the case of the retailer profiled here, the risk of phishing runs broad and deep, since every user is accustomed to entering corporate credentials into weird domains. Evidently the CASB vendor cut corners with a proprietary security architecture, without understanding the vulnerabilities that come with ignoring standards and best practices. And it is extremely unfortunate for the retailer that they sole-sourced a critical piece of security infrastructure. We can be sure of two things at this point:
- The retailer in question will be phished for a data breach, if not already. The average length of a data breach being about 8 months, it will take roughly the same time for the retailer to detect and remedy the breach.
- Since the poorly architected "security solution" has one obvious and gaping hole, it is bound to have many other holes.
If you are interested in securing your cloud applications, check out Bitglass. We operate a standards-based security architecture on transparent public cloud infrastructure, so you can sleep well at night.
Update (Oct 28 1.32pm)
Since writing this blog post a few days ago, Bitglass has heard repeatedly from the CASB vendor referenced above asking to obfuscate this blog post. We find that both distasteful and unethical. As security professionals, we have an ethical responsibility to expose vulnerabilities packaged as security products. The same way medical professionals have an ethical responsibility to expose harmful side-effects of pharmaceutical drugs, no matter how well they are packaged and marketed. Sunshine is the best remedy!
In the present situation, the victims are consumers whose credit-card information is at risk, shareholders of the retailer whose equity positions are at risk, and employees of the retailer whose email privacy is at risk as in the Sony Breach.