Breach of CIA director’s AOL account exposes latent attack surface
When hackers posted online contact lists and other documents stolen from the AOL account of CIA Director John Brennan, they not only exposed a security breach with national security implications but they also shined a light on a glaring security hole created by the cloud — personal identities are placing corporate assets at risk.
To carry out the hack, the attackers manipulated AOL to do the password reset on Brennan’s account. In the process, they captured most of his personal information, including name, address, phone number, Social Security number and more. With this data, they can create legitimate looking phishing emails or social engineering attacks aimed at corporate assets.
The use of cloud-based application services is expanding the enterprise attack surface in multiple ways.
For example, most of us use cloud-based services for our personal email, as Brennan did with AOL, and shop online via online shopping services such as Amazon and eBay. Similarly, for social media activities, think Facebook, Twitter, LinkedIn — all are cloud-based applications. We even use cloud applications for banking.
Cloud services have become so ubiquitous, that we rarely consider the security implications of the personal data we provide to establish online accounts. Since each cloud service is unique and separate, users must hand over the same personal information to each provider.
The multiplicative effect of users’ personal data being duplicated across multiple cloud applications, networks and geographies plays directly into the hands of would-be attackers. It provides them with the opportunity to zero-in on cloud providers with the least robust security. If unsuccessful, they can simply move on to the next target.
With personal data in hand, attackers are able to impersonate users via online applications, or on the phone with customer service representatives to steal more personal information such as login credentials and commit fraud.
Meanwhile, cloud applications are also being used to replace enterprise applications that were once provisioned and managed by IT organizations. Many are available and acquired in online marketplaces. These include company-oriented email and calendaring, corporate banking, purchasing and supply chain, marketing, sales force automation, contact and sales pipeline management, HR and benefits applications, etc. There is seemingly no end to what can be delivered online for the enterprise.
Truth is, all cloud-based enterprise applications are subject to the same technical and social engineering vulnerabilities that apply to personal online applications. While we may have become somewhat desensitized to the daily drumbeat of personal data breaches and their consequences, we are still concerned by large corporate data breaches.
While personal and enterprise cloud-based applications may be compromised via unpatched vulnerabilities or unprotected systems, most occur via stolen credentials or identities. Once hijacked, user accounts can be used to access sensitive applications and databases in order to exfiltrate confidential data without raising any red flags until weeks, months or even years later.
As enterprises transition from fewer on-premise to more cloud-based applications and services, managing user access credentials and related entitlements becomes exponentially more complex. Keeping tabs on identities and monitoring access for internal and external applications requires more thoughtful intention and execution. The risk of getting it wrong can be disastrous, potentially placing critical enterprise assets in the hands of attackers.
This new hybrid environment where internal and cloud-based applications are co-mingled, requires greater vigilance when it comes to monitoring corporate identities, access activity and behaviors. That’s because the surface area of user accounts and entitlements has expanded to a degree that makes detecting and preventing threats far more difficult. Monitoring the behavior of insiders to identify user accounts that are exhibiting anomalous activity which may indicate they have been hijacked by an attacker requires a new approach.
So while monitoring user access behavior can be performed purely within the corporate IT network, this may not provide a complete picture for enterprises using a hybrid on-premises and cloud application and service delivery model. The hybrid scenario demands behavior monitoring that spans user access across the complete context of online cloud behavior and internal enterprise systems.
A new technology category, dubbed Cloud Access Security Brokers (CASB) by research firm Gartner, is considered capable of managing complex cloud access environments, which includes discovering unknown cloud applications and unauthorized access to corporate data. CASB applications working with on-premise User Behavior Analytics (UBA) can provide the visibility into the complete context of user access and behavior for internal and cloud-based applications needed to detect anomalies associated with hijacked accounts.
The blurring of personal and corporate identities, combined with the rise of hybrid data center and cloud application environments, has introduced a never before seen level of complexity for security teams. This new application and services delivery model demands increased technical ingenuity to maintain appropriate levels of care and management.