Data from McKinsey Insights suggests that many CISOs are uneasy about increasing dependence on SaaS applications and the security risks – real or perceived – the cloud represents.
Their apprehension isn’t slowing down cloud adoption. As McKinsey put it, “Most companies … will eventually confront the cybersecurity risks inherent in the SaaS approach.”
Security experts have been confronting these risks for years, of course, and for much of the last decade the best solution was “do your due diligence.” But understanding the security posture of your SaaS vendors doesn’t give you a great look into their human risk factor.
Unfortunately, the human risk is the most difficult to scrutinize and also the costliest. Nearly $1.3 billion was lost in 2018 to business email compromise (BEC) and email account compromise (EAC), according to the FBI’s Internet Crime Complaint Center’s 2018 Internet Crime Report.
Cybercriminals look for the weak spot, and we’re it. That’s because passwords are either easy to guess, or they’ve already been breached but they’re still being reused.
Fixing the problem of weak and reused passwords is far from impossible, however. Businesses and individuals can make some key changes to the way they create passwords, monitor for exposure and react to account compromises. CISOs should use their influence during the purchasing process to encourage the same changes within their SaaS vendors, or demonstrate new risks to steer vendors towards better security choices. Both sides will be better off.
The security community is familiar with the changes NIST made to their password security guidelines, but adoption of better passwords has been slow to follow the 2018 release of NIST’s update.
CISOs evaluating new SaaS applications should expect vendors to provide a mechanism for checking password strength. None of the old “special character” tricks will apply anymore. Password strength checks should reject passwords that are easy to guess, whether they’re common, repetitive or use the service name or any “fuzzy” variations.
New passwords for SaaS applications should also be uncompromised. It sounds like an obvious point, but certainty in the security of passwords is hard to achieve. Do you know how many of your employees’ passwords are exposed right now? Furthermore, do you know how many employees reuse passwords from their personal accounts – or even for all of their accounts?
The truth is, not many businesses can say with certainty that all their passwords are uncompromised, and that needs to change.
Symantec found in a recent study that account takeovers are the initial attack vector for 64 percent of cloud security incidents. There are billions of compromised login credentials available to hackers, yet only 7 percent of security decision-makers consider account takeover a top concern. This is a threat that must be better understood before it can be solved.
When cybercriminals obtain stolen login credentials – whether by finding and stealing data themselves or buying it from others – they’ll plug them in to dozens or even hundreds of other websites, just in case the targets have reused that password somewhere else.
Each successful login may present attackers with several opportunities for profit. When they take over customer accounts they can siphon funds out, make fraudulent purchases (even with tokenized cards-on-file) or demand a ransom in return for account control and data. These follow-on attacks cost the business time and money to remediate, and cause reputational damage with the customer base.
Cybercriminals may also decide to target corporate accounts after hijacking something else. A successful LinkedIn login may lead cybercriminals to the target’s employer’s website. If that target reused the same password for work, a variation of it or a similar, easy-to-guess pattern, the cybercriminal now has access to secure and valuable corporate data. If that company is a software provider for a larger business, consumer accounts and PII could be at risk.
This opportunistic threat vector is all too successful for criminals who may have gotten a password from an employee’s personal account and found themselves with clandestine access to a corporate network. Once there, they can study the network for weak points or learn who’s who so they can launch business email compromise, spear-phishing, or social engineering attacks.
And after an account takeover becomes a bigger problem, it may still take time to realize the damage. 56% of 2018 breaches took months to discover, according to Verizon’s 2019 Data Breach Investigation Report.
Companies should regularly check their users’ and employees’ passwords against known breach data, and this data is available from many sources. Free breach “corpuses” will require integration and manual updates. Dark web monitoring services update data regularly, but CISOs should determine how the service obtains breach data before selecting a resource; some simply scrape TOR network forums for breach data, which means they’re typically getting credentials that have been exposed for several weeks at least.
The McKinsey study pointed out several concerns and frustrations CISOs have with SaaS security, among them that “SaaS sales forces … can be ill-informed or sometimes even outwardly deceptive about security related issues.”
CISOs can’t force their vendors to adopt new technologies, but they may be able to extend their own security resources through to SaaS platforms and require that anyone with access to their data be cleared of exposure.
Companies may even find it valuable help their vendors remediate weak or exposed passwords. Doing so will protect cloud apps and data from unauthorized access. Furthermore, demonstrating the importance of stronger identity and access management tools to vendors may also help them understand how easily business email compromise can be accomplished, and how it presents a risk to their revenues and reputations.
The McKinsey report noted that “Industry analysts estimate that the SaaS market will grow by more than 20 percent annually, reaching nearly $200 billion by 2024, a level that would represent nearly one-third of the overall enterprise-software market.” Cloud collaboration is quickly becoming a fact of life today. In the future, it will serve the common interest to collaborate on identity and access security and use the best tools available to identify exposed credentials and reset compromised passwords as quickly as possible.