Software-as-a-Service Applications Create a Growing Attack Surface
Security Technology, October 2022
Russian-state actors successfully exploited a flaw in Cisco Duo’s multi-factor authentication to gain access to a non-governmental organization’s cloud and email accounts to steal valuable documents and information.
Duo’s exploitation resulted from a flaw in the default settings that allowed the hackers to enroll their own device for MFA and access the network through a Software-as-a-Service (SaaS) application, according to an alert from the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued March 2022. The threat actors then exploited a vulnerability in Windows Print Spooler (the application that lists active printing jobs) to run malicious code.
Help caring hands reach further
XProtect® Hospital Assist is a remote patient monitoring solution that helps your staff work more efficiently while enhancing patient care.
This attack is just an example of hackers taking aim at a vulnerable SaaS implementation to infiltrate an organization. While targeting SaaS solutions is not new, it is happening more and more. The increased dependence on SaaS has created a larger attack surface for organizations of all sizes, as even smaller businesses can employ dozens of online tools.
In fact, Gartner named attack surface expansion as its top cybersecurity trend to watch in 2022. So how can companies prepare themselves for this growth? Let’s look deeper at the problem.
Mutual Security Responsibility
There is a misconception that many SaaS applications are completely secure. Application providers certainly implement security measures, but the Duo breach, a recent breach at Uber, and other notable breaches at companies like Heroku, Twilio, and MailChimp confirm that a name brand does not automatically mean security.
When organizations recognize a brand, they—much like consumers—tend to trust the brand and ease their other security measures. But while SaaS applications have a responsibility to secure their product, they cannot control how users adapt the capabilities. There needs to be a mutual responsibility among providers, organizations, and customers to make informed decisions when it comes to the security of their applications.
Typically, organizations are only aware of a small percentage of the SaaS solutions their employees use. Even then, they rarely have visibility into how employees are using them. With organizations using dozens—if not hundreds—of SaaS applications to run their enterprise, the attack landscape and chances for an exploit increase exponentially. The applications, though, have become critical to business operations, so simply not allowing them is not practical.
Instead, organizations must ensure the security of SaaS applications by utilizing different tools and best practices—such as leveraging visibility and automatic remediation defense solutions. This can help technology leaders fully understand the programs in use.
Steps to Improve SaaS Defense
To properly protect SaaS applications, organizations first need to understand what their employees use. The remediation process requires using specific tools that can identify all the SaaS applications currently in use, even those not officially endorsed as part of the company’s ecosystem.
With the growing number of applications, organizations must automate as many cybersecurity efforts as possible. Even large enterprises lack the cybersecurity workforce to manually manage the alerts, patches, and updates required to handle this type of environment. Automatic remediation can significantly reduce the number of alerts requiring human intervention.
Bad actors know that vulnerabilities exist and will continue to find ways to exploit them.
Employees should feel empowered and comfortable to take an active role in their company’s cyber defense. While they do not need to become analysts, they should understand the basics of user behavior and spot anomalies. Employees should have the power to remediate vulnerabilities when made aware of them. Involving users in the security process can greatly improve overall response.
From there, organizations must also educate employees. This includes proper cyber hygiene, such as using complex passwords, leveraging multi-factor authentication, and keeping software and applications updated.
The Road Forward
Bad actors know that vulnerabilities exist and will continue to find ways to exploit them. As remote work and permanent work-from-home policies become more common, the use of SaaS applications and an organization’s attack surface will only continue to grow. Given this, the number of SaaS breaches will keep increasing.
Organizations can lower the risk of the impact of a vulnerable SaaS application by:
- Knowing which SaaS services employees use and how.
- Using multi-factor authentication. Ensure the solution is implemented properly and employees use it the proper way.
- Reducing your attack surface. Revoke permissions for applications and shared files not currently in use and remove permissions for external users when no longer needed.
- Keeping your confidential data in a proper place. Do not share sensitive information such as API keys via collaborative applications such as Slack or in public repositories.
As technology leaders prioritize security threats, they must improve the management of these platforms. That starts with visibility and automation.
Yoav Kalati has more than 15 years of cyber defense experience on a national and international level. He started his career in the Israeli military’s 8200 unit in various cyber defense roles and retired after a successful service in the military’s Cyber Threat Intelligence department. Kalati is the recipient of various certificates of excellence including from the head of directorate of Military Intelligence and the head of the Cyber Defense Division. Kalati Joined Wing Security in 2022 as head of the Threat Intelligence department. He is focused on providing valuable, on-time threat intelligence updates and best practices to Wing Security’s customers, while leading the company’s Threat Intelligence research.