We are in the Cloud Era, and the mass migration of business processes to cloud-based third-parties is not slowing down. Some of the reasons business owners are relying more and more on the cloud:
- Cost Management. Many third party service providers offer tiered pricing models, enabling the organization to pay for only the services that they need, and giving them the ability to scale that cost up or down based on current need and usage.
- Quality. Most third parties provide a unique and oft-times niche product. This specialization allows them to improve their services faster than an organization would be able to if they were building and maintaining them in house.
- Security. Moving data and hardware into the hands of a 3rd party allows an organization to lessen their need to focus on physical and cyber security. This opens the door for faster scaling as an organization grows and their security program changes.
Although there are many reasons to move business processes to outsourced service providers, this paradigm shift does come with some trade-offs.
3rd Party Services, all with Web Portals
The nature of web-based service providers calls for a much greater need for User Access Controls. Now, many critical business lines and sensitive data lies in the myriad web portals spread across the World Wide Web. Much of these assets are protected purely be the prolific Login Screen.
Services talking directly to other services
With the interconnected nature of services, many organizations have their third-party applications interface directly to other third-party applications to enable automated and streamlined business processes. This connectivity opens the risk of chain-reaction incidents. An attacker gaining access to one service through faulty user access controls could potentially affect multiple other services through the back door nature of service-to-service APIs.
With the ever increasing adoption of HTTPS, brute force mitigations, and system-level incident monitoring, it is becoming harder and harder for attackers to compromise systems on a “hacking” level. A lot of security incidents stem from Social Engineering attacks. These attacks target the weakest link in the security chain: people. Leveraging the human nature of trust and curiosity, attackers will go to great lengths to trick an employee to accidentally give up credentials. These attacks often have many steps and be done over the course of weeks or months.
Many times, an employee will have no idea that the website they are entering their login information into is not legitimate until it’s too late. Attackers will find third parties that an organization trusts, and “spoof” their website, most of the time triggered by a “call to action” email or phone call that will prompt the employee to login in response to some event.
Multi Factor Authentication
Once a single employee account is compromised, an attacker can sometimes start a chain reaction attack by targeting other connected services or employee accounts. Even if the incident is caught and remedied quickly, that attacker already has enough new information to continue the barrage of social engineering attacks on other parts of the organization.
This scenario can be avoided by strong User Access controls and Multi Factor Authentication. But by how much? MFA is now very mainstream and goes a long way to avoid incidents based on compromised user credentials but is not foolproof. Attackers many times now include the MFA process as part of a layered Social Engineering attack strategy, and even popular authentication tools can be compromised on the system and hardware levels.
Wrap Up: User Training
With all the advances in technology, the most reliable security measure today is still sometimes.. people. Proper awareness of User Access controls and consistent cybersecurity awareness training of employees to detect and report social engineering probes can go a long way to preventing incidents. With the vast networks of connected service providers, this is ever more important to prevent a single incident from snowballing into something much larger.
Rivial Data Security knows that a proper security program starts and stops with the most important asset of any organization: the people. Managed Security Training and customized Social Engineering testing, together with simple reporting and informative metrics, can go a long way to achieving a truly robust security program.
Jacob BlazinaJacob Blazina has been with Rivial Data Security for 3 years, managing the development team and assisting with security operations. Jacob studied Computer Science at Eastern Washington University and uses an innovative approach to helping organizations improve their cybersecurity.
Request a Demo
Accurately measure risk, automate compliance, and simplify security management.SCHEDULE A DEMO