With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can’t possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them.

Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access.

Nudge Security is a SaaS security and governance solution that can help you do just that, with automated workflows to save time and make the process manageable at scale. Read on to learn how it works.

1 . Discover all SaaS apps used by anyone in the org

As the old saying goes, you can’t secure what you can’t see, so the first step in SaaS identity governance is to get a full inventory of what technology is actually being used, and by whom.

Nudge Security discovers and categorizes all SaaS apps ever introduced by anyone in the organization and provides a vendor security profile for each app to give IT and security teams the context they need to vet new SaaS providers. And after they’ve reviewed an app, they can assign a status like “Approved,” “Acceptable,” or “Unacceptable” to indicate if usage should be permitted. For any apps that are deemed “Unacceptable”, automated nudges can be triggered in response to new accounts to redirect the user towards a similar, approved app or ask for context on why they need to use that particular app.

2. Share a directory of approved apps with employees

In an ideal world, IT teams want to empower employees to adopt technologies that will both enhance productivity and keep the business secure and compliant. Unfortunately, employees often have no way of knowing which tools fit the business’s requirements as well as their own.

Nudge Security makes it easy to create and share an app directory with employees, so everyone in the org can view a comprehensive list of approved applications that meet appropriate security and compliance standards. Employees can peruse the list by category and submit access requests that are routed directly to each application’s technical owner, whether or not that person sits within central IT. This removes the need for IT to be the “event forwarder” between users and app owners, while still retaining visibility and centralized governance.

3. Keep app owners up to date

Ever feel like you’re on the world’s worst scavenger hunt when tracking down the right people in your organization to get context on a SaaS application or user account? You’re not alone. This knowledge is often siloed and changes frequently. Nudge Security uses various methods to deduce the likely “technical contact” (like the first user) for every SaaS application discovered in your environment and gives you the ability to automate nudges to confirm app ownership periodically.

With this technical contact discovery process, Nudge Security automates emails or Slack messages to assumed technical contacts with a simple nudge that asks them to either validate that they are the correct technical contact or update this information. No more strings of emails and Slack threads to figure it out. With Nudge Security, you can automate the process of keeping this information up to date as administrative responsibilities change.‍

4. Automate user access reviews

For companies subject to any of a number of compliance standards like SOC 2, HIPAA, PCI DSS, and others, it is typically required to do periodic user access reviews of in-scope systems to ensure that only those who need access actually have access. And, for anyone who’s had the pleasure of conducting user access reviews, you know it usually involves an assortment of spreadsheets with inconsistent and incomplete information and a lot of manual effort to track down who’s using what.

Instead of this spreadsheet puzzle, with Nudge Security you can automate the process. First, you can group your in-scope assets together and automate nudges to app users to verify if they still need access. Then, Nudge Security collects the responses for you and routes the consolidated list of accounts to be removed to the app owners. Finally, it collects responses from the app owners to confirm they’ve completed the removals and documents all the actions taken in a .pdf report you can share with auditors.

5. Identify and clean up unused accounts

Meeting compliance requirements is one good reason to regularly review who needs access to what, but cost savings is another. Gartner’s research shows that 25% of SaaS is underutilized or over-deployed. No matter what the size of you organization, that can add up quickly.

Nudge Security monitors cloud and SaaS account status across your entire organization, so you can easily find and prune inactive and abandoned SaaS accounts. And, you’ll have up-to-date information at your fingertips in some very good-looking charts, so you can monitor SaaS account statuses right next to SaaS adoption trends.

While you can always discover unused accounts one app at a time from each application’s overview page, Nudge Security’s playbook for removing unused accounts enables you to audit multiple applications at once so you reduce SaaS sprawl at scale.

6. Ensure complete offboarding

Here’s a dirty little secret: most employees have signed up for apps outside the purview of IT, or even their department managers. With Nudge Security, you can see every account ever signed up for by anyone using an email associated with your organization. This includes domain registrations, social media accounts, developer accounts, and other assets that are often overlooked. You can also see if those apps are connected to other apps via OAuth grants, so you can minimize the chance of something breaking when an employee leaves the organization.

And, better yet, with Nudge Security, you can automate key steps of IT offboarding like suspending accounts, resetting passwords, revoking OAuth grants and more. And you’ll start with a full inventory of every account ever created for the departing employee so you can ensure all access is revoked.

Try Nudge Security for free

Our mission at Nudge Security is to help IT and security professionals everywhere regain control over SaaS security and governance while minimizing manual work for themselves and friction for end users. Start a free 14-day trial now to see what it can do for you.

Feb 12, 2024The Hacker NewsCyber Threat / Password Security

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it’s important to remember that MFA isn’t foolproof. It can be bypassed, and it often is.

If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. We’ll explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.

1. Adversary-in-the-middle (AITM) attacks

AITM attacks involve deceiving users into believing they’re logging into a genuine network, application, or website. But really, they’re giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee’s inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.

While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as ‘2FA pass-on.’ Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.

This is a common tactic for threat groups such as Storm-1167, who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.

2. MFA prompt bombing

This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to login which sends an MFA prompt to the legitimate user’s device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing, poses a significant threat.

In a notable incident, hackers from the 0ktapus group compromised an Uber contractor’s login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.

3. Service desk attacks

Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization’s environment. A recent example was the MGM Resorts attack, where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.

Hackers also try to exploit recovery settings and back-up procedures by manipulating service desks to circumvent MFA. 0ktapus have been known to resort to targeting an organization’s service desk if their MFA prompt bombing proves unsuccessful. They’ll contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization’s recovery or backup process by getting a password reset link sent to the compromised device. Concerned about service desk security gaps? Learn how to secure yours.

4. SIM swapping

Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a ‘SIM swap’, where hackers deceive service providers into transferring a target’s services to a SIM card under their control. They can then effectively take over the target’s cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.

After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group LAPSUS$. The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target’s credentials through help desk social engineering.

You can’t fully rely on MFA – password security still matters

This wasn’t an exclusive list of ways to bypass MFA. There are several others ways too, including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It’s clear that setting up MFA doesn’t mean organizations can forget about securing passwords altogether.

Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can’t protect users if it’s been compromised through a breach or password reuse. And for most organizations, going fully passwordless won’t be a practical option.

With a tool like Specops Password Policy, you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or being sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being solely relied upon as a silver-bullet solution. If you’re interested in exploring how Specops Password Policy can fit with your organization’s specific needs, please contact us.

Jan 04, 2024The Hacker NewsEthical Hacking / Vulnerability Assessment

Section four of the “Executive Order on Improving the Nation’s Cybersecurity” introduced a lot of people in tech to the concept of a “Software Supply Chain” and securing it. If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. This article will look at three ways to supercharge your Software Supply Chain Security.

What is your Software Supply Chain? It’s essentially everything that goes into building a piece of software: from the IDE in which the developer writes code, to the third-party dependencies, to the build systems and scripts, to the hardware and operating system on which it runs. Instabilities and vulnerabilities can be introduced, maliciously or not, from inception to deployment and even beyond.

1: Keep Your Secrets Secret

Some of the bigger cybersecurity incidents of 2023 occurred because bad actors found secrets in plain text. Secrets, in this context, are things like username and password combos, API keys, signing keys, and more. These keys to corporate kingdoms were found laying around where they shouldn’t be.

Sourcegraph got pwned when they published code to a public instance containing a hardcoded access token. The token was used to create other accounts and give people free access to the Sourcegraph API. A hacker group got access to a Microsoft internal debugging environment and found a signing key in a crash dump that let them create email credentials.

Tools like GitGuardian allow you to check your code, both legacy and bleeding edge, for accidentally published secrets or attempts to publish them. It’s important to know which secrets might have been released and remediate them, as well as put in safeguards in the form of automated tools and code reviews to ensure other keys don’t get out.

2: Use SCA to Help Build Your BOM

In manufacturing, a Bill of Materials (BOM) is a comprehensive inventory that includes all raw materials, components, and guidelines necessary for the construction, manufacturing, or repair of a product or service. Both cybersecurity regulations and best practices are embracing the idea of a software BOM that provides transparency and provenance of all the pieces that go into building your software.

But you just can’t build a BOM from your list of declared dependencies.

Package repositories like NPM, PyPI and the incorporation of open-source frameworks and libraries were hailed for making software development more efficient by not having to reinvent the wheels. Instead, developers could find free packages that implemented the functionality they needed and incorporate them into their software easily.

They also exposed developers to a growing web of dependencies. You may find it feels like “turtles all the way down” as your dependencies have dependencies that have dependencies… You might even have sub-dependencies on four different releases of the same package, all of which have different vulnerabilities.

Software Composition Analysis tools automatically scan your project’s codebase and identify all the external components you’re using, including all the turtles as far down as they go. They then perform checks to make sure these components are up-to-date, secure, and compliant with licensing requirements.

This not only helps to identify which dependencies have known exploits so you can update or replace them, but that’s a big help when you need to generate a clean BOM for inspection by potential customers and regulators.

3: Go Hack Yourself

Ethical hacking is older than most recent CS grads. As stated in a recent webinar on ethical hacking, it is “identifying and exploiting vulnerabilities in computer systems or networks in a responsible and lawful manner.” Note the emphasis on “responsible” and “lawful.”

Essentially, ethical hackers use most of the same techniques as “black hat” hackers to find and exploit vulnerabilities in a system. The difference that cannot be stressed enough is that they do it with permission. They stick to the systems they’ve been given permission to hack, then document everything so that their discoveries can be reproduced and analyzed by the team/client to whom they report them.

While this can often come in a later stage in the development process, it’s important. If they can determine your dependencies and do their own SCA that identifies vulnerable dependencies, game over. If they can find an unguarded point of entry, game over. If they test a web app and find debug code outputting confidential output in the console, game over. Some vulnerabilities can be show-stoppers, some might be just needing to remove a line of debug code.

Making ethical hacking part of the release process, joining bug bounty programs, and more can make sure you’re fixing things before you’re having to apologize for them, report them to regulators, and do clean-up.

Summary

Whether you’re trying to please regulators or customers, beefing up your Software Supply Chain Security will let you spend more time selling your software and less time apologizing for it. And while these three tips get you a good foundation, you can find a lot more in the SLSA security framework. Working the framework and securing your supply chain is how you get (in the words of the SLSA site) “from ‘safe enough’ to being as resilient as possible, at any link in the chain.”

As technology adoption has shifted to be employee-led, just in time, and from any location or device, IT and security teams have found themselves contending with an ever-sprawling SaaS attack surface, much of which is often unknown or unmanaged. This greatly increases the risk of identity-based threats, and according to a recent report from CrowdStrike, 80% of breaches today use compromised identities, including cloud and SaaS credentials.

Given this reality, IT security leaders need practical and effective SaaS security solutions designed to discover and manage their expanding SaaS footprint. Here are 5 key ways Nudge Security can help.

Close the visibility gap

Knowing the full scope of SaaS apps in use is the foundation of a modern IT governance program. Without an understanding of your entire SaaS footprint, you cannot say with confidence where your corporate IP is stored (Did someone sync their desktop to Dropbox?), you cannot make assumptions about your customer data (Did someone upload your customer list to a new marketing app?), and you certainly can’t make strong assertions about your production data (Did someone clone their environment into a new AWS account to recreate a support issue?).

But, given the pace of SaaS adoption, it is a never-ending, pain-staking task to collect and maintain an accurate SaaS inventory. Nudge Security addresses this problem with real-time, continuous SaaS discovery that does not require agents, browser plug-ins, network proxies, or complicated API configurations. Within minutes of starting a free trial, you will have a full inventory of all SaaS accounts ever created by anyone in your org, along with security context on each app, alerts as new apps are introduced, and the ability to automate SaaS governance tasks.

Manage OAuth risks

Today, any employee has the power at their fingertips to string together multiple SaaS applications and data using no-code / low-code integrations that leverage authorization methods like OAuth grants. This creates a complex mesh of SaaS applications, making it extremely difficult to answer the fundamental question of, “who (and what SaaS applications) have access to my corporate assets?” Attackers are taking advantage of this complexity to move laterally across the SaaS supply chain to get to the crown jewels.

Given this, it’s important for IT and security teams to regularly review the OAuth grants that have been introduced for their organization to identify and address overly permissive scopes and app-to-app connections that may run contrary to data privacy and compliance requirements.

This article provides an overview of key steps for analyzing OAuth grants and assessing potential risks, along with an overview of how Nudge Security provides the context you need to simplify this process.

Monitor your SaaS attack surface

Recent high-profile SaaS supply chain breaches at Circle CI, Okta, and Slack reflect a growing trend in attackers targeting enterprise SaaS tools to infiltrate their customers’ environments. As mentioned above, the complex and interconnected nature of the modern SaaS attack surface makes it possible for attackers to move through the software supply chain to find valuable assets.

Given this reality, it’s important to understand what corporate assets are visible to attackers externally and, therefore, could be a target. Arguably, the SaaS attack surface extends to every SaaS, IaaS and PaaS application, account, user credential, OAuth grant, API, and SaaS supplier used in your organization—managed or unmanaged. Monitoring this attack surface can feel like a Sisyphean task, given that any user with a credit card, or even just a corporate email address, has the power to expand the organization’s attack surface in just a few clicks.

Nudge Security includes a SaaS attack surface dashboard to show you all externally facing assets attackers could see, including SaaS apps, cloud infrastructure, dev tools, social media accounts, registered domains, and more. With this visibility, you can take proactive steps to minimize and protect your SaaS attack surface.

Expand SSO coverage

Single sign-on (SSO) provides a centralized place to manage employees’ access to enterprise SaaS applications, which makes it an integral part of any modern SaaS identity and access governance program. Most organizations strive to ensure that all business-critical applications (i.e., those that handle customer data, financial data, source code, etc.) are enrolled in SSO. However, when new SaaS applications are introduced outside of IT governance processes, this makes it difficult to truly assess SSO coverage.

Nudge Security shows you which apps are enrolled in SSO (and which are not) along with context on each app so you can appropriately prioritize your SSO onboarding efforts. When you are ready to onboard new apps to your SSO tool, Nudge Security initiates SSO onboarding workflows to make the process easier.

Extend MFA usage

Multi-factor authentication adds an extra layer of security to protect user accounts from unauthorized access. By requiring multiple factors for verification, such as a password and a unique code sent to a mobile device, it significantly decreases the chances of hackers gaining access to sensitive information. This is especially important in today’s digital landscape where identity-based attacks are increasingly common.

With Nudge Security, you can see which user accounts do (and don’t) have MFA enabled, and send “nudges” to users via email or Slack to prompt them to enable MFA for their accounts. With the long-tail of applications often adopted without IT oversight, this visibility helps IT teams ensure that SaaS security best practices are followed.

Start improving SaaS security today

Nudge Security gives IT and security teams complete visibility of every SaaS and cloud asset ever created in their orgs (managed or unmanaged), and real-time alerts as new accounts are created. With this visibility, they can eliminate shadow IT, secure rogue accounts, minimize the SaaS attack surface, and automate tedious tasks, all without impeding the pace of work.

Start a free 14-day trial here.