The Number One Security Challenge for Your Supply Chain Footprint in 2024
It’s no secret that cybersecurity threats are on the rise, and even tech giants like Microsoft aren’t immune. Recently, an attack on a legacy application has left the company scrambling to contain the damage. Hackers were able to read high-profile internal emails and access source code, potentially contributing to the compromise of HP, which issued a press release with eerie similarities. But it’s not just big corporations that are at risk. Even the US state government fell victim to a breach via a former employee’s admin-level account. And as if that wasn’t enough cause for concern, the volume of credential-based attacks has skyrocketed by a staggering 73% according to IBM.
We published an article about breaches and their relation to SaaS and cloud services three years ago. You may have thought that those “old-school” password-based breaches like SolarWinds were a thing of the past. Then in 2021, the Colonial Pipeline happened. We thought that this was too easy to prevent for any serious organization, but then this Cisco breach happened, and now Microsoft too. Turns out that even Okta, a global MFA/IDP provider fell victim to a mishandled and stolen service token, stolen via an employee’s Google password sync after compromising that account.
But this disappointing line of events has a silver lining. They all stem from a single point of failure. The failure to understand the less protected element of your organization: credentials used on third-party suppliers and unmanaged applications.
Unmanaged accounts and passwords are the long tail of your cloud footprint created on unmanaged services such as SaaS, cloud, web apps, or “legacy tenants.” All of these contribute to your identity and supply chain footprint without any control or visibility. Employees sign up and create accounts without visibility for IT and security tools. Web-based sign-in forms are your primary point of credential leakage, as they provide the opportunity to give away and reuse corporate accounts and passwords for any user, without any approval or chances of blocking. This can happen while ordering pizza, signing up for social media, or adding fancy AI tools by any of your departments.
Remember that all employees need to register to a wide variety of apps and websites as part of their day-to-day job, including AI tools, file-sharing, social media, technical services, marketing platforms, or even simple tasks like booking flights or attending events.
Let’s compare how these accounts compare to other identities that your organization is managing, and how they impact potential attack vectors.
Overall, Shadow IT makes organizations vulnerable to security breaches, as users tend to reuse their credentials across different platforms, especially when the service itself is legitimate. These apps may contain valuable data, such as customer PII, confidential information, or technical intel, which makes them a lucrative target for hackers. For instance, we saw a major breach when Juniper accidentally exposed all of their customer device information on their partner portal. Most trivial apps tend to lack backend security, making them an easy target for stealing user accounts and passwords. As a result, both employees and organizations must be vigilant and take security measures to protect against such threats.
To summarize, three main vectors contribute to breaches in terms of gaining initial access:
- Enterprise accounts with already breached credentials, especially when no MFA or weak MFA is enabled
- “Forgotten” applications, databases, or tenants that were not sanitized and mainly contain authentication tokens or other forms of data that can lead to lateral movement
- Unmanaged third-party applications, thus Shadow IT services and supply chain portals, without any cyber security governance or controls for authentication
The last one is the most underserved in terms of control and visibility, as firewalls, CASB solutions, and even endpoint security products lack vision into web-based authentication traffic. Even password managers are always opt-in for users and do not provide sufficient visibility for applications or account usage, and they may even contribute to the problem by failing to protect their vaults.
More importantly, out of more than 600 million registered domains existing today, only a few thousand of them host truly enterprise SaaS services that allow SSO/IDP integrations or other forms of security governance. The rest are all your potential Shadow IT supply chain.
NIST 2.0 just recently added the supply chain as their new governance arm specifically to tackle some of these challenges:
“Today, nearly all organizations depend on supply chains. As such, it is increasingly important that they develop capabilities and implement practices to identify, assess, and respond to cybersecurity risks throughout the supply chain […] It also requires an enterprise-wide cultural shift to a state of heightened awareness and preparedness regarding the potential ramifications of cybersecurity risks throughout the supply chain.”
In summary, a new approach is required for cloud visibility to tackle your invisible supply chain and find peace of mind around credential usage and password hygiene. This is required by NIST2.0 and also by NIS2, which focuses on the security governance of high-risk industries and businesses in the EU.
Your unmanaged supply chain is your biggest attack surface, and gaining visibility is the only solution.
Shadow IT should be embraced as a potential competitive edge, allowing business departments to look for the best possible suppliers and solutions without complicated IT adoption. But to avoid tearing giant security backdoors, we must have the proper tools in place to foster vigilance around using these external apps.
Scirge can educate about using secure authentication methods, create mandatory inventories for compliance, and protect high-value accounts with acceptable password hygiene. Scirge allows you to discover all employee-created accounts, check for password strength and reuse, and educate them in real time about the risks of external application usage, without collecting clear-text passwords or PII data.
Take a quick quiz about your Shadow IT readiness here.
About Scirge
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.