Image Credit: Thinkhubstudio/Getty
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Consider the following cybersecurity breaches – all from within the past three months: GitHub, the leading cloud-based source control service, discovered that hackers capitalized on stolen OAuth tokens issued to third-party applications to download data from dozens of customer accounts; Mailchimp, a leading emarketing company, found a data breach where hundreds of customer accounts were compromised using stolen API keys; and Okta, the leading workforce authentication service, left 366 corporate customers vulnerable after hackers exploited a security breach to gain access to internal networks.
These three incidents have one thing in common – they were all service supply chain attacks, meaning breaches in which the attackers took advantage of access granted to third-party services as a backdoor into the companies’ sensitive core systems.
Why this sudden cluster of related attacks?
As digital transformation and the surge in cloud-based, remote or hybrid work continues, companies are increasingly weaving third-party applications into the fabric of their enterprise IT to facilitate productivity and streamline business processes. These integrated apps increase efficiency throughout the enterprise – thus their sudden rise in popularity. The same is true for low-code / no-code tools, which allow non-coding “citizen developers” to create their own advanced app-to-app integrations more easily than ever before.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Security and IT teams want to support the business in the adoption of these new technologies to drive automation and productivity, but are increasingly understaffed and overburdened. The rapid rise of new integrations between third-party cloud apps and core systems puts pressure on traditional third-party review processes and security governance models, which is overwhelming IT and security teams and ultimately creating a new, sprawling, largely unmonitored attack surface.
If these integrations proliferate without sufficient understanding and mitigation of the specific threats they pose, similar supply chain attacks are bound to keep happening. Indeed, in 2021, 93% of companies experienced a cybersecurity breach of some kind due to third-party vendors or supply chain weakness.
Here’s why executives must confront this new generation of supply chain cyberattacks and how.
The third-party app promise – and problem
The proliferation of third-party applications is a double-edged sword – offering productivity, but also contributing to a sprawling new enterprise attack surface.
App marketplaces offering thousands of add-ons enable “non-technical” employees to freely and independently integrate various third-party apps into their individual work environments for the sake of their own productivity, organization and efficiency. Such adoption is driven by the rise of product-led growth, as well as individual employees’ desires to keep up with the quickening pace of work processes around them. For example, a marketing operations manager trialing a new SaaS prospecting tool might integrate it directly with Salesforce to automatically sync leads.
The same goes for engineering, devops and IT teams, who are increasingly authorizing third-party tools and services with access to their organization’s core engineering systems across SaaS, IaaS and PaaS to streamline development efforts and increase agility. Take, for example, an engineering team lead using a new cloud-based dev productivity tool that relies on API access to the GitHub source code repository or to the Snowflake data warehouse.
What complicates matters even more is the increasing popularity of low-code/no-code platforms and other integration platform-as-a-service (iPaaS) tools like Zapier, Workato and Microsoft Power App. The ease with which these tools enable anyone to create advanced integrations between critical systems and third-party apps makes this web of app integrations even more tangled.
These applications are often integrated by employees into their workflows without undergoing the rigorous security review process that usually happens when enterprises procure new digital tools, exposing companies to an entirely new attack surface for cyberbreaches.
And even if security teams could vet the security posture of each individual third-party app before employees integrate them with core systems like Salesforce, GitHub, and Office 365, vulnerabilities could persist that would offer malicious actors a clear path to accessing core systems. A recently disclosed GitHub Apps vulnerability demonstrates this risk; the exploit enabled privilege escalation that potentially granted excessive permissions to malicious third-party applications.
The promise of third-party integrations is great efficiency, productivity and employee satisfaction. However, the rate of third-party app adoption is skyrocketing without employees or IT teams fully understanding and having visibility into the security and compliance threats posed by this soaring number of third-party connections.
Where legacy solutions fall short
Existing security solutions can’t keep up with the rapidly-growing challenges of third-party app interconnectivity. Legacy approaches often address user (rather than application) access, as this was previously the primary threat vector. They also tend to focus on the vulnerabilities of standalone applications – not the connectivity between the apps – and are built to address limited environments, like SaaS business applications alone. These solutions were also intended to match a slower pace of cloud adoption, such that all third-party services could undergo a thorough, lengthy manual review process.
Today, as app-to-app connectivity proliferates rapidly, these solutions simply fall short, leaving improperly secured third-party connections open to potential attacks, data breaches and compliance violations. Such gaps leave the doors wide open for the type of service supply chain attacks we saw with GitHub, Mailchimp and Okta.
What immediate actions can CISOs take to improve their security posture?
CISOs can start by creating a one-stop inventory of every single third-party connection in the organization, across all environments – understanding all programmable access that may expose their critical assets and services. This overview must account not just for SaaS deployments, but all critical cloud environments as well.
It must also leverage contextual analysis to identify the actual exposure of each app’s connections. For example, one app might have many connections but only to a core system with low levels of permission, while another might have a small number of connections with highly privileged permissions. Each of these requires a different security approach and shouldn’t be lumped together. Here, CISOs should consider using “exposure scoring” – a standardized metric for rating the severity or impact of any third-party integration vulnerability – to evaluate the app-to-app connectivity landscape at a glance.
The next step is to detect the risks posed by every app in this inventory. CISOs must identify external connection threats, integration misuse, and other anomalies that might pose a threat. This can be challenging due to variations from one app to another, so security leaders must seek tools that can continuously monitor and detect threats across an array of apps.
In order to reduce the attack surface, security leaders should also assess the permission levels granted to each and every integration. This means removing or decreasing the permissions to any previously authorized OAuth applications, credentials and integrations that are no longer needed or are too risky – similar to the process of offboarding users who have left a company or a team.
CISOs should be considering questions like which over-privileged third-party integrations should be selectively restricted, and which should have less-permissive settings.
Finally, CISOs should manage the integration lifecycle of any third-party apps from the point of adoption onward. Security teams should seek out security tools to gain control over all app-layer access, set enforcement guardrails, and prevent policy drifts.
Securing the future of third-party apps
When third-party apps are integrated with companies’ core systems to boost productivity, they leave the entire system exposed to the risks of service supply chain attacks, data leakage, account takeover and insecure authorization.
Considering the API management market alone is expected to expand 35% by 2025, organizations must address the security risks posed by these applications sooner rather than later. The malicious attacks on Github, Okta and Mailchimp demonstrate just that – and serve as a warning to those yet unhacked and those seeking to avoid yet another breach.
Alon Jackson is CEO and cofounder of Astrix Security.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!
NASA Says Hurricane Didn’t Hurt Artemis I Hardware, Sets New Launch Window
NASA’s Artemis I moon mission launch, stalled by Hurricane Ian, has a new target for takeoff. The launch window for step one of NASA’s bold plan to return humans to the lunar surface now opens Nov. 12 and closes Nov. 27, the space agency said Friday.
The news comes after the pending storm caused NASA to scrub the latest Artemis I Iaunch, which had been scheduled for Sunday, Oct. 2. As Hurricane Ian threatened to travel north across Cuba and into Florida, bringing rain and extreme winds to the launch pad’s vicinity, NASA on Monday rolled its monster Space Launch System rocket, and the Orion spacecraft it’ll propel, back indoors to the Vehicle Assembly Building at Florida’s Kennedy Space Center.
The hurricane made landfall in Florida on Wednesday, bringing with it a catastrophic storm surge, winds and flooding that left dozens of people dead, caused widespread power outages and ripped buildings from their foundations. Hurricane Ian is “likely to rank among the worst in the nation’s history,” US President Joe Biden said on Friday, adding that it will take “months, years, to rebuild.”
Initial inspections Friday to assess potential impacts of the devastating storm to Artemis I flight hardware showed no damage, NASA said. “Facilities are in good shape with only minor water intrusion identified in a few locations,” the agency said in a statement.
Next up, teams will complete post-storm recovery operations, which will include further inspections and retests of the flight termination system before a more specific launch date can be set. The new November launch window, NASA said, will also give Kennedy employees time to address what their families and homes need post-storm.
Artemis I is set to send instruments to lunar orbit to gather vital information for Artemis II, a crewed mission targeted for 2024 that will carry astronauts around the moon and hopefully pave the way for Artemis III in 2025. Astronauts on that high-stakes mission will, if all goes according to plan, put boots on the lunar ground, collect samples and study the water ice that’s been confirmed at the moon’s South Pole.
The hurricane-related Artemis I rollback follows two other launch delays, the first due to an engine problem and the second because of a hydrogen leak.
Hurricane Ian has been downgraded to a post-tropical cyclone but is still bringing heavy rains and gusty winds to the Mid-Atlantic region and the New England coast.
What You Get in McDonalds’ New Happy-Meal-Inspired Box for Adults
You’ve pulled up to McDonald’s as a full-on adult. You absolutely do not need a toy with your meal, right? Joking. Of course you do.
The fast-food chain will soon sell boxed meals geared toward adults, and each one has a cool, odd-looking figurine inside.
The meal has an odd name — the Cactus Plant Flea Market Box — that’s based on the fashion brand collaborating with McDonald’s on this promotion.
According to McDonald’s, the box is inspired by the memory of enjoying a Happy Meal as a kid. The outside of the box is multicolored and features the chain’s familiar golden arches.
The first day you can get a Cactus Plant Flea Market Box will be Monday, Oct. 3. Pricing is set by individual restaurants and may vary, according to McDonald’s. It’ll be available in the drive-thru, in-restaurant, by delivery or on the McDonald’s app, while supplies last.
You can choose between a Big Mac or 10-piece Chicken McNuggets. It will also come with fries and a drink.
Now about those toys. The boxes will pack in one of four figurines. Three of the four appear to be artsy takes on the classic McDonald’s characters Grimace, Hamburglar and Birdie the Early Bird, while the fourth is a little yellow guy sporting a McDonald’s shirt called Cactus Buddy.
In other McD news, Halloween buckets could be returning to the chain this fall. So leave some room in your stomach for a return trip.
Why companies like iHeartMedia, NBCU rely on homegrown IP to build metaverse engagements
To avoid potential blowback from a skeptical audience, retailers as well as media and entertainment companies are learning to invest in their homegrown intellectual properties while building virtual brand activations inside Roblox or Fortnite.
Take, for instance, when they get it wrong.
Earlier this week, Walmart launched its own Roblox world — called Walmart Land — and was roundly mocked for it across social media given the announcement’s disjointed brand message and apparent lack of life. In one viral tweet, a Twitter user described a clip of Walmart CMO William White introducing the Roblox space as “one of the saddest videos ever created.”
To some extent, this sort of criticism is to be expected during the early days of the metaverse.
“Walmart is an iconic brand; when you see them coming into a platform like Roblox, people are going to be 10 times more critical of what is being launched,” said Yonatan Raz-Fridman, CEO of the Roblox developer studio Supersocial.
But Walmart’s size is not its only disadvantage as it dips its toes into Roblox. Although Walmart has a widely recognizable brand, it owns few intellectual properties that users are actually interested in experiencing virtually — a shortcoming reflected by the somewhat cavernous emptiness of Roblox’s Walmart Land.
The success of other recent brand activations is evidence that media and entertainment brands are better equipped to build metaverse spaces that can dodge online skepticism, thanks to their wealth of owned IP.
“They are having to reinvent themselves, to a certain degree, but that is in their DNA,” said Jesse Streb, global svp of technology and engineering at the agency DEPT. “So they have a unique advantage over, say, some kludgy company that sells lumber, or a construction company.”
For example, iHeartMedia’s Roblox and Fortnite spaces were inspired by the mass media corporation’s wealth of popular real-life events, such as the Jingle Ball Tour and iHeartRadio Music Festival, with virtual versions of musicians like Charlie Puth performing pre-recorded concerts that allow real-time audience interaction.
“There’s a strong brand association with the IP, down to a station level — you’re in the New York area, you probably know Z100,” said iHeartMedia evp of business development and partnerships Jess Jerrick. “The same is true for the event IP, or the IP that we now have in the podcasting space, and of course our radio broadcast talent. So there’s no shortage of really strong IP we can bring into these spaces.”
Translating real-life properties into the metaverse is also an enticing prospect for brands that view metaverse platforms as an experimental marketing channel, allowing them to bring tried-and-true IP into their virtual activations instead of designing them from the ground level. This was part of the strategy behind the recent Tonight Show activation in Fortnite Creative, which was designed in collaboration between NBCUniversal and Samsung. “We’re looking at it holistically — how do we find fans in new ways, and use IP that fans love in new ways?” said NBCU president of advertising and client partnerships Mark Markshall.
Since opening on Sept. 14, iHeartLand has already enticed over 1.5 million Roblox users to visit. The company aims to retain that attention with a schedule of virtual programming featuring popular musicians and personalities.
“At our core, we are essentially an influencer network; our broadcast talent are some of the most connected, most engaging influencers at work in media today,” said Conal Byrne, CEO of iHeart Digital Audio Group. “That gives us this sort of superpower, to be able to go into new-ish platforms, like Roblox or Fortnite, because we talk to our listeners through those influencers.”
Indian Crypto Exchange WazirX Lays Off 40% Of Its Staff Citing The Ongoing Crypto Winter: Report
Cardano’s Founder Charles Hoskinson Picks On Solana’s Recent Network Outage On Twitter
California fraud cases highlight the need for a regulatory crackdown on crypto
NFT space bridges passions for tennis legend Maria Sharapova
Bill Aims to Limit Crypto Mining in Kazakhstan Only to Registered Companies
‘Continue to ebb and flow over time’: Denny’s chief brand officer on how consumers’ moods inform brand messaging
Bitcoin hits $45K ahead of July inflation report, but one fractal hints at looming correction
Smart Marketing Token (SMT) Is on a Mission to Help Blockchain Projects Reach Their Goals
Identity management org Sailpoint unveils no-code tool
Japan crypto exchange bitbank upgrades performance of its matching engine by 4x
Bit Coin3 months ago
Analyst Says Duke Energy Corporation Is Studying Bitcoin Mining Applied to Demand Response
Bit Coin3 months ago
Brazil Creates Crypto-Dedicated Investigation Unit
Ethereum3 months ago
OKX Wins Provisional Crypto License In The UAE
Tech3 months ago
Kaseya, one year later: What have we learned?
Tech3 months ago
Best Prime Day deals: Last-minute deals you can shop today
Bit Coin3 months ago
Study: 14% of Saudis Are Crypto Investors, 76% Have Less Than One Year of Experience in Cryptocurrency Investment
Bit Coin3 months ago
Tothesmart Is an Exclusive New Smart Contract Built on the Binance Smart Chain Blockchain
Ethereum3 months ago
Binance.US taps Former Paypal Exec. as New CFO as The Crypto Exchange Formulates an IPO