Is there any coming back from this ?
An outfit that (quite aggressively) punts its services as keeping you secure, manages to fail to keep it's own crown jewels safe ?
Okta has sent out breach notifications to almost 5,000 current and former employees, warning them that miscreants breached one of its third-party vendors and stole a file containing staff names, social security numbers, and health or medical insurance plan numbers. The third-party, Rightway Healthcare, helps people compare …
Do you mean this specific incident, because if you do, you do realize that it was a company other than Okta that had the system from which the file was stolen. I'm sure your employer outsources some part of its business, and it would be great if they could make sure that every supplier had perfect security, but that doesn't make them the cause of any supplier's failure.
"you do realize that it was a company other than Okta that had the system from which the file was stolen....but that doesn't make them the cause of any supplier's failure"
Except that it fucking does. The data was entrusted to Okta. The data has been compromised. This is Okta's fault.
If they cannot be sure that their suppliers, resellers and subcontractors are at least as secure as Okta themselves, then they shouldn't use them and should hold the data in-house. We keep hearing these pathetic excuses from companies that should know better that it was a supplier, vendor, subcontractor that caused a breach, it'd be nice if regulators and courts actually started considering this to be an aggravating rather than mitigating factor. In an ideal world customers would consider this before using Okta, in practice Okta's customers are big corporations and the public sector, and procurement is a process in which some (arguably many) important questions simply are not asked, scores are added up and whoever gets the highest score gets the gig.
As a starter, any security service vendors should be ranked according to all known breaches and data losses for the SSV themselves. What sort of management do Okta have? If this is how the treat their own employees data, how competent are they on background checks when hiring their own staff? How thorough are they when sub-contracting devs, or offshoring coding? Essentially, this story begs the question how trustworthy are Okta? Lucky that their customers will keep following the process rather than ask that question.
As I said, being able to guarantee the security of anyone who ever does a service for you would be great. Unfortunately, actually guaranteeing that would require the audit from hell. Sorry, I mean it is impossible, but getting close to it requires that. Do you or your employer provide services to other companies from time to time? Are you confident that every one of your systems is perfect, both from technical flaws and from organizational ones?
For incidents where you are responsible for losing data, it's perfectly logical for someone to start with the idea that you are to blame for it. For incidents where someone else does, you have a higher burden of proof to indicate that you should have known that the place was being negligent. In your personal life, you have a lot of companies that store your data because they are the only feasible option and the alternatives are no more likely to be able to guarantee security. For example, the landlord from whom I rent housing probably has more information about me than they really need to keep, and I have no way to confirm that they have stored any of it securely, but I also have no way of guaranteeing that if I were to rent from someone else. This is an unfortunate fact, but if we're going to play the blame game, we have to do a proper analysis of who made which mistake and whether a reasonable company would have known that was likely. Jumping to the conclusion that it's my fault if my landlord's database of identification documents is cracked is letting them off the hook by transferring the blame to someone who could not have prevented it, and you may be doing it with the supplier here as well.
Then it's your fault for using whatever app\service that leaks your data. By your ridiculous logic the end user is responsible for any breach of their data for not making sure that the vendor was secure in all circumstances, which is impossible.
And as I said elsewhere, blaming Okta is stupid. If a user within an organization willingly hands over their credentials as a result of a Phish then no system on earth can prevent the breach. Even with MFA. Attackers just keep harrassing the end user with "Is it really you trying to login" messages and some users just click "Yes" to stop the barrage or because they are stupid.
We hold regular phishing tests at my place of work. The number of people who enter their credentials into fake login screens, for systems we don't even have, or authorise transactions by clicking "Accept", also for supposed systems we actually don't even have, is insane. People are careless and, if a phish attack works, attackers have user credentials or the user has clicked to download malware.
It's hardly Okta's fault if a third party is breached. Similarly with the phishing attempts. You can put in place all the security you want but if someone falls for a social engineering attack and IT departments at the target sites compromise accounts for the attacker, that is not the fault of Okta. Even if you have MFA in place, prompt fatigue causes people to click "Yes, it was me" when asked for the 3,000th time if it is them trying to login.
The only one of these that might be Okta's fault is the actual breach of their system. Even then, stolen credentials and prompting fatigue causing someone to confirm that it was them trying to login, let's attackers walk in to any system.
All systems can be breached one way or another.
Yes, the Okta breach is far more important* than 3rd party held employee data going walkies. Breaching Okta or any similar outfit without setting off the alarms will potentially allow far easier to access any number of clients through the front door.
*for everyone else, for the affected staff it's a nightmare.
Hey, guess what? You can outsource your businesses' functions, but you cannot outsource the responsibility for any breaches of your (sub-)contractors and providers.
Yes, IT can only do so much. However, trying to blow off the organization's responsibility by saying, "Oh, well, it was a social engineering attack, what can ya do (Gallic shrug)?" is pure bullshit. It is the organization's responsibility to hire people who are not gullible, and to fire those employees who are gullible. If the organization fails that responsibility, then they ought to bear the full financial consequences, including damages of people whose details are leaked. None of this "We're giving you a free year of credit monitoring, have a nice day." booshwah. As to for Okta, they need to be suing their contractors who were breached. "Oh, our contract with Company X specifically excludes such damages." Really? Well, that was a failed gamble on Okta's part, in which case Okta ought to bear the full financial responsibility.
"It is the organization's responsibility to hire people who are not gullible.."
That's just ridiculous. It's never going to happen. Should every data entry clerk have a thorough psych evaluation?
You have no idea about human psychology.
Even Kevin Mitnick was once successfully phished. A 100% phish proof person does not exist.
"A 100% phish proof person does not exist."
Irrespective of that, if an organisation is entrusted with data, it's the organisations responsibility to keep it safe. If they can't keep it safe they shouldn't have it.
I don't care that many people are gullible - that's the world we live in, but that means the organisation needs multiple layers of security, proper security architectures, proper processes and security resources, and a data officer who makes sure that data is only collected where genuinely needed, is archived offline or deleted as soon as no longer operationally needed, and that repressive access controls are in place.
Even where somebody needs access data to do their job, the overwhelming majority certainly don't need to download the whole lot of it at once as happens in many data breaches. Such needs do arise, they're exceptional and should be handled as such. Do these companies processing personal data not have proper network monitoring, do they think it's normal for a user account to syphon off an entire database whilst apparently working remotely? Do they not have 2FA so that even user credentials provided by the gullible aren't a blank cheque? Do they really need all that data available 24/7, rather than loaded on user request? Do they not limit remote access sessions and have proper controls on them? And if it's the sysadmin accounts that have been compromised, then clearly the company has hired the wrong calibre of staff.
I once read a book written in the late 1970s about computer systems security. The authors wrote about data-processing operations within a bank, and how certain operations and data-accesses required two people to execute.
Banks (and other companies) probably don't do that any more, because they don't want to pay the "extra" salaries. Companies wanting to do things cheaply is not a valid excuse for failing to protect the data entrusted to them in confidence.
Arther Dent: “You mean you've got a hole full of frozen hairdressers”
Captain: “Oh yes millions of them. hairdressers tired TV producers, insurance salesmen, personnel offices, security guard, public relations, executive management consultants, cybersecurity directors and attorneys ..”
Because for people like HR and corporate administrators, Daterzekurity is a planet in a distant galaxy, and Data Protection is simply a boring mandatory course to be inflicted upon all employees on a regular basis. Which reminds me, I need to do my annual refresh on GDPR. That'll keep everybody safe!
So many breaches, ransomware or other damaging attacks are down to the absolute basics - data that does need to be routinely accessible all, data that shouldn't be accessible from outside, data which needs a permanent record but is held in a rewriteable format, user accounts that have excessive permissions, connection monitoring that doesn't flag up gigabytes of data being exfiltrated by accounts that would normally only use a few megabytes, etc etc.
"data that shouldn't be accessible from outside"
No one deliberately makes such data available on the outside. That's what "breach" means. If attackers get into a network or obtain the credentials of someone with a legitimate need to access the data then they get internal data.
Some of your other concerns are valid but there will always be cases where someone breaches a high level user account.
"Some of your other concerns are valid but there will always be cases where someone breaches a high level user account."
High level accounts should be a focus of additional training, additional security, additional monitoring, as well as still having access controls. It does seem that for too many companies there's high level accounts that amount to being given the ability to exfiltrate in plain text huge amounts of data that the account holder doesn't need visible to them in the normal course of business.
You do seem rather fatalistic here, to the extent that it comes across that you don't blame companies for giving data to third parties that get breached, you're fatalistic that users will always get pwned, that even admin accounts will be accessed. Why not just publish it all to the internet and be done with it?
So, when your customer calls in or applies for another service, you expect whoever answers the call to say "Hold on while I just go and get your paper file\CD\DVD, or whatever other off-line storage device might be employed. It should only take me an hour to find it."?
You might be prepared to wait for the sake of security but the average customer is not. Convenience for the customers - who demand that convenience. That's why data is held in discoverable ways.
Customer facing employees need immediate access to data to be able to confirm identify while you are on a call, for example, or in order to change it. Do you want emails\paper communications going to the wrong address?
Departments like HR need to keep social security numbers (in the US), dates of birth, addresses and bank details (how will they pay you without those?) They will also keep details of qualifications, next of kin, in case of emergency, emergency contact numbers. All have to be readily available otherwise delays occur, which customers will not accept, and costs go up - filing clerks make a return - which again, customers will not accept.
My employer does not have my bank details. It does not need to have them. Each two weeks, they print me a check, and a pay stub, and hand it to me during lunch break. I take my check to a branch office of my bank, hand it to a teller, and have them deposit it into my bank account.
I also carefully look at my receipt. The last time I deposited my check, I was reading my receipt as I was walking toward the exit, stopped, turned around, went back to the teller, and said, "Excuse me, please look at amount shown on my pay stub here and tell me what it is. My eyes aren't what they used to be." He did so. The number he read off was approximately a hundred dollars less than the deposit amount shown on my receipt. With my approval, he reversed the original deposit transaction, and created a new one, with the correct amount (as shown on the check), and gave me a new receipt.
HIs supervisor said they sometimes have trouble with their scanning machines (which OCR-scan the check).