Security is not a feature

Lapsus$ hacker group recently claimed to have stolen sensitive data and internal source code from NVIDIA and Samsung, Micorsoft and Okta. Some of the leaks are already published and available in the Internet. The adversaries are using many tactics to penetrate the systems, including Social Engineering in a form of offering payment to company employees with elevated access. When they steal critical data, they demand ransom.

Okta is a managed Single Sign On (SSO) solution that allows its customers to centralise the secure access to a vast array of services. Because the company has many high profile customers using the product they are a perfect target for a software supply chain attack, where the attacker exploits third party systems in order to get into your infrastructure.

With Okta the attack could be potentially very successful, as they handle authentication.

Just last year we witnessed similar attack on SolarWinds runtime protection suite, where the malware was installed on premises of dozens of Fortune 500 customers. The attack was attributed to Russian intelligence, but until now there is no direct proof of who exactly was responsible for the breach.

These attacks make an obvious statement that security is not a feature - it needs to be implemented from the day one on any production system.

To combat this risk we propose that our customers always implement Least Privilege Principle, Time-based Access, Audit Trails and Network Egress Whitelisting. Additionally, no system can ever be fully secure, so it’s best to develop Operational Procedures in case of a breach.

Do you think this is enough? What other measures would you implement in a fresh production system from the very beginning? Is the cost worth it?

Visit our Case Study on HashiCorp Vault to discover how you can benefit from Security Automation: https://solid-potential.dev/blog/case-study-vault

Solid Potential can introduce necessary measures to protect your data in Cloud. If you are interested in partnering with us, check out our Services:
https://solid-potential.dev/services

Sources:
https://www.theverge.com/2022/3/22/22990637/okta-breach-single-sign-on-lapsus-hacker-group
https://securityaffairs.co/wordpress/128573/data-breach/nvidia-data-breach.html
https://securityaffairs.co/wordpress/128828/data-breach/samsung-data-breach.html
https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T