Massive Okta Breach: What CISOs Should Know

Okta’s announcement last week that an earlier report of customers exposed to an October breach had been grossly underestimated -- with the entirety of its huge client base exposed, instead of the 1% previously reported -- sent shockwaves through multiple industries and left IT security leaders scrambling to respond.

As one of the top identity management solutions platforms, Okta boasts massive corporate customers like FedEx, Zoom, Bain & Company, HPE, Ally Financial and many more. Okta had previously announced two of its customers -- casino titans Caesars Entertainment and MGM Resorts -- were compromised in a September social engineering attack that resulted in significant business disruptions.

In late October, Okta began notifying its user of a breach of its customer support system. At the time, the company said the breach exposed just 1% of its customers. But in a blog post last week, the company admitted it had missed other malicious activity in its initial review of the breach. The attacker, the company said, ran an automated query of the database that contains names and email addresses of “all Okta customer support system users.”

All users of Okta’s Workforce Identity Cloud (WIC) and Customer Identity Solutions (CIS) were impacted, the company said.

Related:Damage Control: Addressing Reputational Harm After a Data Breach

The breach leaves many customers open to active threats. The threat actor gained access to the files from Sept. 28 through Oct. 17. The company said an Okta employee had signed into their personal Google profile on a company laptop’s Chrome web browser.

Merritt Maxim, vice president and research director at Forrester, tells InformationWeek in an interview that identity management firms make attractive target for hackers. “Any identity and access management-related system is a very tempting target for hackers, because those systems contain credentials and other type of information hackers can use … So, we shouldn’t be surprised that identity providers like Okta are getting attacked and will continue to do so.”

Okta’s Tips to Defend Against Attacks

In its blog post, Okta said customers exposed are now at risk for attacks themselves.

“While we do not have direct knowledge or evidence that this information is being actively exploited, there is a possibility that the threat actor may use this information to target Okta customers via phishing or social engineering attacks … Given that names and email addresses were downloaded, we assess that there is an increased risk of phishing and social engineering attacks directed at these users,” wrote David Bradbury, Okta’s chief security officer.

Related:Security Questions to Ask After the ZeroedIn Breach

Okta recommends customers take several immediate steps to defend against potential attacks from the breach, including securing administrator access through multi-factor authentication (MFA), “admin session binding” that requires admins to reauthenticate in certain instances, “admin session timeout” set to a default of 12-hour session duration and 15-minute idle time, and phishing awareness.

In a statement to InformationWeek, a spokesperson for HPE said the company is continuing to investigate. “We have investigated the potential impact and, at this time, have not determined any compromise of HPE systems as a result of this breach. We continue to monitor developments regarding this incident and will take appropriate action to protect HPE and our customers, if warranted.”

How CISOs Should Respond After Breach

Forrester’s Maxim says companies need to strengthen their security and stay vigilant. “If their users aren’t already using two-factor authentication, they should implement that immediately,” he says. “And they can also apply pressure to the vendors -– to make sure they are disclosing these breaches and that they know what new patches or fixes are available."

In an email to InformationWeek, Henry Bagdasarian, founder of the Identity Management Institute says the co-mingling of business and personal uses on devices leaves organizations open to threats. With the breach originating from an Okta employee, Bagdasarian says companies need to examine their attitudes about BYOD (bring your own device) and using personal accounts on business devices.

Related:Tesla Insider Data Breach Exposed Over 75,000

Furthermore, employees need better training in best practices to shield organizations from threats.

“Training programs should not only focus on strict compliance with business policies, but also emphasize the importance of a security mindset and critical thinking on the part of employees in all business activities to self-assess the consequences and potential risks of employee actions to minimize threat exposure to access credentials and business data,” he writes.

Since the Octa breach stemmed from an employee’s use of a personal Google account on a Chrome browser, Maxim says companies may want to consider using more secure, enterprise-grade browsers now available from third parties. “There’s now a dedicated market for these enterprise browsers,” he says. “Maybe we all thought, ‘the world doesn’t need another browser,’ but in reality, companies do. With that kind of browser, an enterprise has full control over what the user can and cannot do. This case with the user kind of co-mingling their personal Google Chrome account with the enterprise can’t happen with an enterprise browser.”

Rebuilding Trust After an Incident

Okta is having a tough year with two major breaches just in the last few months. For companies who suffer an attack, being forthcoming and quickly sharing investigation results can help, Maxim says.

Okta’s effort to regain trust after such a massive breach “is going to be challenging,” Maxim says. “But generally speaking, people are forgiving of security breaches. Where they are less forgiving, is when there’s inadequate or incomplete responses to breaches.”

In Okta’s case, having a wildly different answer for the number of people affected by a breach a month after the initial reports is damaging. But companies are also racing to report incidents without having all the facts in hand, Maxim says.

“It’s like the fog of war, and you may not actually have all the answers,” he says. “So, companies are in a difficult position -- your duty to disclose versus the fact that you might not have all the information available. That’s kind of an unfortunate reality of the cyber world we live in and for companies like Okta to rebuild trust, it’s probably going to be a longer road to do that.”

Unfortunately for Okta, which has several major competitors in the identity management space, customers may choose to switch vendors out of fear of future attacks. “And it’s not a trivial change, but for those enterprises that feel that this breach has made them question whether they want to stay with Okta, they do have alternatives that they could pursue,” Maxim says.