Okta, again? This time takes 1Password along || 11th edition of ENISA Threat Landscape
CyberInsights #116 - Okta Support Ticketing System Breached || European Agency for Cybersecurity releases its annual threat landscape study
Okta data breach - twice in 2 years
A Single Sign On (SSO) company sells peace of mind. A run rate of 1 breach a year is not good for business.
One key to rule them all - that’s what SSOs promise.
When the Keymaker (Matrix reference unintentional) gets breached, confidence levels plummet. Last year, CyberInsights covered the Okta breach. Read about it here.
Now, Okta has been breached again. This time, it is their support ticketing system. However, in some cases, the support ticketing system has access tokens shared by customers. Read the official statement from Okta for more information [LINK]. BeyondTrust were the first to detect the breach. Read about it in their interesting blog post. [LINK]
The problem of large service providers being breached is the follow-on attacks.
Follow-on Attacks - Attacks on customers of a service provider that got breached.
1password - another large service provider uses Okta. While seeking support from Okta, 1password team members uploaded a file to the Okta support portal. The file contained cookies and session tokens. These were used to try and gain access to 1password’s Okta account. 1password says they did not get far & no client data was breached. [LINK]
Take Action:
If you use Okta or 1password - keep an eye out for their support teams reaching out to you. Reach out to them proactively to see if you are an affected party.
Use an instance like this - where a key authentication / password service provider gets compromised as a simulation scenario for your CCMP testing
If you are a cyber insurer - remember the third party liability when insuring large service providers like this. It might be a huge contingent liability.
If you are a user of 1password, like I have been for over a decade, reach out to them to ask for clarifications. After all, you have trusted them to keep your keys safely!
The ENISA Threat Landscape for 2023 is out
On the outside, nothing changes.
The report is a goldmine of information.
It’s worth sitting down on a Saturday evening with your favourite single malt and spending the evening reading the report.
I don’t want to give you any spoilers and ruin your evening, but a couple of things are worth mentioning. Ransomware is treated different from social engineering, though social engineering might be used to deliver ransomware. That’s why you see ransomware and social engineering as separate.
Interestingly, there was a dip in ransomware payments in the year 2022, not for lack of ransomware attacks, but for a reluctance among victims to pay. In 2023, ransomware groups are changing their strategy to data exfiltration and not encryption. Read page 59, section 4.7 for this part.
Download the report from the ENISA website [LINK]. Let me know if you want a detailed analysis of this report. I can do a CyberInsights LongReads on this.
Take Action:
If you are in the cybersecurity profession, this is a report worth reading. It gives you a snapshot of what happened in the cybersecurity world over the last year. The data is restricted to the EU, but it can be extrapolated for across the world. Combine it with he Verizon Data Breach Report and you have a ring side view of what is happening. So, read the report.
If you are a cyber insurer - read it to get the direction of breaches and incidents and use it to predict which part of your policy will have claims. You might even be able to provide specific cover for certain areas to the exclusion of more generic covers.