{"id":4138,"date":"2024-06-21T11:15:26","date_gmt":"2024-06-21T16:15:26","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/multi-factor-authentication-not-enough-to-protect-cloud-data"},"modified":"2024-06-21T11:15:26","modified_gmt":"2024-06-21T16:15:26","slug":"multifactor-authentication-is-not-enough-to-protect-cloud-data","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/21\/multifactor-authentication-is-not-enough-to-protect-cloud-data\/","title":{"rendered":"Multifactor Authentication Is Not Enough to Protect Cloud Data"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A cybercriminals group known as UNC5537 has been on a tear over the past month.<\/span><\/p>\n

The ransom gang, possibly related to ShinyHunters or Scattered Spider, stole more than 560 million customer records from Ticketmaster, posting it for sale on its reconstituted leak site, BreachForums on May 28, asking for $500,000. Two days later, the group claimed to have stolen 30 millions account records from Spain-based Santander Bank, asking for a cool $2 million. Both companies <\/span>acknowledged the breaches after the postings<\/a><\/span>.<\/span><\/p>\n

The cause of the data leaks \u2014 and at least 163 other breaches \u2014 appears not to be a vulnerability, but the use of stolen credentials and poor controls on multifactor authentication (MFA), according to a June 10 analysis by incident-response firm Mandiant, part of Google.<\/span><\/p>\n

“Mandiant’s investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake’s enterprise environment,” <\/span>Mandiant stated in its analysis<\/a><\/span>. “Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials.”<\/span><\/p>\n

While the theft of data from Snowflake’s systems could have been prevented by MFA, the failures of the companies go beyond the lack of that single control. Businesses using cloud services need to make sure that they have visibility into their attack surface, quickly removing the accounts of former employees and contractors, and reducing the avenues through which opportunistic attackers could compromise systems, networks, or services, says Chris Morgan, senior cyber threat intelligence analyst at cloud-native security platform provider ReliaQuest.<\/span><\/p>\n

“The biggest lesson learned is that threat actors do not need to employ sophisticated techniques,” he says. “Targeting the low hanging fruit \u2014 in this case, insecure credentials \u2014 can be achieved with little effort from the threat actor, but provides ample opportunities.”<\/span><\/p>\n

Here are five lessons from the latest spate of cloud breaches.<\/span><\/p>\n

1. Start With MFA and Then Go Beyond<\/h2>\n

There is a lot of room for growth in the adoption of MFA. While two-thirds (64%) of workers and 90% of administrators used MFA, according to <\/span>a report released a year ago<\/a><\/span>, more than six out of every 10 organizations have at least one root user or administrator without MFA enabled on an account, according to <\/span>Orca Security’s 2024 State of Cloud report<\/a><\/span>.<\/span><\/p>\n

Businesses need to get to a consistent \u2014 and verifiable \u2014 100%, says Ofer Maor, co-founder and chief technology officer at cloud-security firm Mitiga.<\/span><\/p>\n

Companies should “make sure MFA is enforced and required, and if using [single sign-on], make sure non-SSO login is disabled,” he says. “Go beyond traditional MFA [and] turn on additional security measures, such as device- [or] hardware-based authentication for sensitive infrastructure.”<\/span><\/p>\n

2. Use Access Control Lists (ACLs) to Limit Authorized IP Addresses<\/h2>\n

Organizations should also put access control lists in place, restricting from where users can access a cloud service or at least enabling reviews of access logs on a daily basis to spot any anomalies.<\/span><\/p>\n

This further limits that ability of cyberattackers to easily, says Jake Williams, faculty analyst, a cybersecurity practitioner with analyst firm IANS Research, an information-security consultancy.<\/span><\/p>\n

“Really, for pretty much any cloud infrastructure … it is a best practice to restrict what IP addresses folks can come from,” he says. “If you can’t, then access reviews are all the more important to make sure that people aren’t coming from someplace you don’t expect.”<\/span><\/p>\n

3. Maximize Visibility Into Cloud Services<\/h2>\n

Companies need to also have a meaningful way of continuously monitoring for applications. Log data, access activity, and services that aggregate data sources into a complete picture can help companies detect and prevent attacks like those on Snowflake.<\/span><\/p>\n

In addition, organizations need to be able to alert on specific behavior or threat detections \u2014 an approach that would have detected the cybercriminals’ attempts at accessing their cloud data, says Brian Soby, CTO and co-founder at AppOmni, a SaaS security posture management firm.<\/span><\/p>\n

“While security operations teams are spread thin and generally don’t have the opportunity to develop deep expertise in the various applications used by their companies, their tooling and security platforms should have quickly identified these issues,” he says. “In this scenario, there were certainly anomalous logins from unusual locations and the connection of highly questionable attacker applications to customer Snowflake instances.”<\/span><\/p>\n

4. Don’t Rely on Your Cloud Providers’ Defaults<\/h2>\n

While cloud-service providers like to emphasize that security is a shared responsibility model, unless an attacker breaches the cloud provider’s infrastructure or software \u2014 such in <\/span>last year’s vulnerabilities in Progress Software’s MoveIT Cloud service and MoveIT Transfer software<\/a><\/span> \u2014 the responsibility almost always falls onto the customer.<\/span><\/p>\n

Yet, often cloud providers prioritize usability over security, so companies should not rely on their provider’s defaults to be secure. There is a lot that Snowflake, for example, could have done to make managing MFA easier, including turning on the security control by default, says Mitiga’s Maor.<\/span><\/p>\n

“What enables this attack to be successful, and at this scale, is that the default setting of Snowflake accounts does not require MFA, meaning once you get a compromised username and password you can get full access immediately,” he says. “Normally, high sensitivity platforms would require users to enable MFA. Snowflake not only does not require MFA, but also makes it very hard for administrators to enforce this.”<\/span><\/p>\n

5. Check Your Third Parties<\/h2>\n

Finally, companies should also note that \u2014 even if they are not using Snowflake or another cloud service \u2014 a third-party provider may use the service for its back end, exposing their data to risk, says IANS Research’s Williams.<\/span><\/p>\n

“Your data may be in Snowflake, even if you’re not using it,” he says. “That’s the complexities of supply chains today … you’re giving your data to a third-party servicer, who is then putting it into Snowflake, and may or may not be using best practices.”<\/span><\/p>\n

Organizations should reach out to all their service providers with access to their data and ensure that they are taking the proper steps to protect that information, Williams says.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A cybercriminals group known as UNC5537 has been on a<\/p>\n","protected":false},"author":12,"featured_media":4139,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/06\/multifactor-authentication-is-not-enough-to-protect-cloud-data.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4138"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4138\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4139"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}