Much has been written in the past week about LAPSUS$, and the events that have transpired resulting in a security incident at several large-scale technology companies. It’s a sobering reminder that criminals are out there, are technologically advanced, and will often stop at nothing when they set their sights on a target. LAPSUS$ is a group of cybercriminals who have frequently leveraged social engineering to trick insiders into giving them access to target organizations. Their tactics include trickery, like phishing emails, and also outright bribery in social media posts. While brazen in their approach, they have been successful in breaching some of the world’s largest and most security-minded organizations in multiple countries through targeting employees or third-party vendors to provide them with the insider access they require to do their jobs. Much of this has already been written ad nauseum, and we will instead use this post to illustrate what can be done to keep attackers at bay.
While security teams have no doubt been scrambling to patch systems, reset passwords, update security training for personnel, and more, there are a couple of identity governance controls that every organization should have in place to help mitigate risk that is inherently posed from insider access. They are formed around the principle of least privilege in ensuring that all users only have the minimum levels of access they require to do their jobs. This is to keep a harmonious relationship between security and business efficiency. Here are three controls to keep in mind:
1. Recertify Access. We wrote about this in a prior post, but it bears repeating that recertifying access helps to create a foundation of least privilege. By ensuring that each identity only has access to resources and data that they use, and flagging instances of access that are no longer required can minimize the attack surface. If attackers are able to gain insider access, the less access that they then have to exploit, the less harmful the attack.
2. Automate the Identity Lifecycle. As responsibilities shift, working locations change, and promotions happen, employees will need access to different data, and applications. However, they’ll also need old access revoked to prevent dormant accounts that are often easy targets for attackers. Additionally, third-party contractors, support engineers in outsourced IT, and more, often are on short-term contracts and need to be continuously monitored to ensure that their access is extended when necessary, and swiftly revoked when no longer required.
3. Enforce Separation of Duties (SoD). Typically, an organization will assign application or resource owners to approve or deny access requests to certain resources if it is not included out of the box as part of a role or policy. However, what happens when approvers themselves need access? It wouldn’t be right to have them approve or deny their own access, it could quickly lead to sticky situations that attackers are certainly looking to capitalize on. Enforcing Separation of Duties (SoD) controls is a smart way to minimize the attack surface by minimizing who can approve access for certain resources, and put safeguards in place to prevent toxic combinations.
It bears mentioning that no single solution is enough to completely prevent cyberattacks. There is a strong likelihood that if attackers want to gain access to an enterprise, they will find a way to do that. However, by setting up strong identity governance controls and a foundation of security, it helps to both ward of attackers by creating resistance and mitigate the damage of a breach if, and when they do gain access. For more information on the processes and tools Omada has in place to keep our business secure and reliable, visit our Trust Center.
