.svg)
.jpeg)
.svg)
Last month, over the holidays, we witnessed multiple vendors experience security breaches of varying levels of severity. From LastPass and Okta to Slack and CircleCI, the news has been filled with headlines reporting on the aftermath of these incidents. We wanted to briefly cover these stories and discuss their implications for you in the current year.
A timeline of vendor security incidents Dec 2022-Jan 2023
This past month, we've seen four major vendors notify customers of security incidents, three of which involved access to GitHub repositories. Both Slack and Okta note that customer data or sensitive data that can impact their services were not accessed in these incidents.
Dec 21, 2022
Okta announced a security incident that occured in early Dec 2022. GitHub alerted the company about suspicious access to repos that did not contain customer data. An investigation revealed that these repos were cloned, but were not used to access the Okta service.
Dec 22, 2022
Lastpass revealed a follow-up to a security incident that occured in Aug 2022. While customer data was not impacted by the Aug incident, threat actors used source code and technical information from that hack to target an employee whose credentials they leveraged to decrypt LastPass' cloud storage environment. Threat actors gained access to basic customer account information (including user names, email addresses, and company names) as well as encrypted and unencrypted field data in LassPass customer accounts.
Dec 31, 2022
Slack disclosed that it discovered unauthorized access to code repos within Slack GitHub accounts, with a limited number of employee tokens being used to access its externally hosted GitHub. Accessed repos were cloned, but no repos contained customer data or a means to access Slack's primary codebase.
Jan 4, 2023
CircleCI announced that it was actively inestigating a security incident. As part of the annoucment it recommended customers rotate secrets stored in CircleCI while reviewing access logs for any systems associated with those secrets. Subsequent updates addressed customer concerns and revealed that CircleCI was working with vendors like AWS to notify shared customers whose secrets might have been used.
What can these incidents teach us about third party risk?
All of the security breach notifications where somewhat vague in describing the scope of each incident, though we now know just how extensive the CircleCI and LastPass breaches were due to the exposure of secrets they caused. When evaluated collectively, these incidents give us a lot to reflect on, below we cover some critical takeaways.
1. The true impacts of incidents can remain unknown & undisclosed for a long time
As the LastPass security incident illustrates, what may at first seem like a security incident with minimal impact can evolve into a more complicated situation with a much broader impact. It's critical to take every vendor disclosure as a serious opportunity to review your security policies and look at what types of systems and data might be at risk given your relationship to any third-party issuing a disclosure.
2. Conduct your own due diligence to understand the personal impacts of any disclosure
As alluded to above, it's critical that you take a proactive stance to evaluate your risk after exposure to a vendor incident. This will allow you to get ahead of any threat actors, in the instance there are downstream effects and provide peace of mind. For example, Dividend Finance leveraged Nightfall to determine if there were any indicators of compromise after last year's Hiroku token theft. Doing this reassured the org that they had done enough to mitigate their risk.
3. Multiple incidents may affect your organization simultaneously
The pace at which these incidents occurred (essentially all in the last two weeks of December) helps drive home the point that third-party risk can happen at any time and you can be susceptible to multiple types of third party risk simultaneously. This makes deploying tools that give you visibility into your environments extremely critical, as well as developing review and auditing processes to regularly assess the state of these environments.
4. The consequences from these incidents can cascade
Because information (secrets, customer data, etc) from one incident can be leveraged to initiate other incidents, the consequences of third-party risk can cascade if they're allow to propagate. As Ars Technica's Dan Goodin notes, the internet is an interconnected mesh of services and content delivery networks. This makes it very important to keep aware of incidents as they happen so you can better appreciate their implications.
How should you respond to third party risk and supply chain attacks?
Incidents like these highlight the importance of ensuring your environments are free of sensitive data that can escalate the severity of an intrusion, should the worse happen. This is a lesson we highlighted last year as it became apparent that third party risk, especially from supply chain attacks, was growing. One key means of cleaning your environments is by nuding employees to develop better data sharing and handling practices, in order to prevent (for example) the proliferation of customer data or the sharing of passwords in systems like Slack, GitHub, etc. Investing in tools that can both provide the visibility to see where this data is, while nudging employees towards more secure behavior has become increasingly important. Nightfall is one such tool that provides these capabilities. The Nightfall platform allows users to continuously scan cloud environments for inappropriate disclosures of PII, PHI, PCI, credentials, secrets, and more. Any time there is a disclosure or sharing of this information that violates a users policies about when and where such information can be shared.
To learn more you can watch our on-demand webinar Build Continuous Security & Compliance into Your SaaS Environments.
.svg)
.svg)
.svg)
.svg){kind=small}
.svg){kind=small}
