What is your security weakest link?

Okta is in the news again as they announced their previously disclosed security incident impacts all of their customer support users. That fact that attackers targeted customer support is not surprising. Most companies spend their resources and focus fortifying their front door while mostly overlooking the backdoors. Yet, the security of any organization is only as strong as its weakest link. In many cases, this weak link resides within the support organization, including both customer support and internal help desks. And attackers hunt out those weakest links. Attackers actively seek out these vulnerable points, as evidenced by incidents like the Okta attack, social engineering of support (like the recent MGM attack) and SIM swapping are the increasing focus of malicious activity.

Having conducted numerous threat model reviews, security assessments, and audits of support functionality over the years, my consistent observation is that companies often neglect making adequate investments in resources to address issues, modernize support infrastructure, and enhance processes in this area. It’s not surprising, for most companies’ support is a cost center, not driving significant revenue, a cost of doing business. Understandably, support is viewed as a cost center for most companies, not a significant revenue driver, and is often treated as a mere cost of doing business. When prioritizing work, companies tend to focus on shiny new customer features or deploy the latest security tools to safeguard the front door.

Several reasons make support organizations attractive targets for adversaries:

1. Legacy infrastructure: Many support systems were deployed years ago and have been happily working since then. Why change?
2. New product features/services, corporate changes create seams: Rapid company evolution through acquisitions or restructures introduces new systems and services, creating seams in infrastructure that attackers exploit.
3. Outsourcing: many companies outsource Tier 1 level support; this creates additional seams in infrastructure, particularly in identity systems and expands your company’s attack surface.
4. Employee churn: Support organizations experience personnel changes, leaving behind over permissioned and inactive users, providing opportunities for attackers.

Customer Support in this article is a proxy for other backdoor services in your company such as Livesite monitoring or Data Science infrastructure, which may also represent weak links.

Now, what can you do about these backdoors?

There are probably already actions you are taking on your front doors that you should extend to these other functions in your organization. Here are some to consider:

1. Conduct Regular Security Reviews: Regularly assess the security of these areas, including the associated processes.
2. Move to a Zero Trust Model: Invest in transitioning these functions to a Zero Trust world, including enforcing least privileged access and assuming breach (this is worth a whole other post).
3. Implement Threat Detections: Establish threat detections for anomalies in support audit logs, case infrastructure, and related areas.
4. Audit Access and Reduce Surfaces: Regularly audit access and minimize security surface area wherever possible.
5. Review Governance and Compliance: Continually review governance structures and address potential compliance issues for data and user access.

This is just a starting point. Consider these steps as part of a broader effort to strengthen your overall security posture. So much to do, so little time!

The question remains: What is your security weakest link?