Credentials leaks are nonetheless amongst attackers’ most-used penetration strategies. In 2023 Kaspersky Digital Footprint Intelligence consultants discovered on the darknet greater than 3100 advertisements providing entry to company assets – a few of them owned by Fortune 500 firms. To extra successfully handle related dangers, reduce the variety of susceptible accounts, and detect and block unauthorized entry makes an attempt faster, firms are adopting identification administration techniques, which we lined intimately beforehand. Nonetheless, an efficient identification administration course of isn’t possible till most company techniques help unified authentication. Inside techniques normally rely on a centralized catalog – corresponding to Energetic Listing – for unified authentication, whereas exterior SaaS techniques discuss to the company identification catalog through a single sign-on (SSO) platform, which might be situated externally or hosted within the firm’s infrastructure (corresponding to ADFS).
For workers, it makes the log-in course of as user-friendly because it will get. To check in to an exterior system – corresponding to Salesforce or Concur – the worker completes the usual authentication process, which incorporates coming into a password and submitting a second authentication issue: a one-time password, USB token, or one thing else – relying on the corporate’s coverage. No different logins or passwords are wanted. Furthermore, after you check in to one of many techniques within the morning, you’ll be authenticated within the others by default. In concept the method is safe, because the IT and infosec groups have full centralized management over accounts, password insurance policies, MFA strategies, and logs. In actual life nevertheless, the usual of safety applied by exterior techniques that help SSO might show not so excessive.
SSO pitfalls
When the person indicators in to a software-as-a-service (SaaS) system, the system server, the person’s shopper machine, and the SSO platform undergo a collection of handshakes because the platform validates the person and points the SaaS and the machine with authentication tokens that verify the person’s permissions. The token can get a spread of attributes from the platform which have a bearing on safety. These might embrace the next:
- Token (and session) expiration, which requires the person to get authenticated once more
- Reference to a particular browser or cellular machine
- Particular IP addresses or IP vary limits, which allow issues like geographic restrictions
- Further situations for session expiration, corresponding to closing the browser or signing out of the SSO platform
The principle problem is that some cloud suppliers misread and even ignore these restrictions, thus undermining the safety mannequin constructed by the infosec workforce. On high of that, some SaaS platforms have insufficient token validity controls, which leaves room for forgery.
How SSO implementation flaws are exploited by malicious actors
The most typical state of affairs is a few type of a token theft. This may be stealing cookies from the person’s laptop, intercepting visitors, or capturing HAR recordsdata (visitors archives). The identical token getting used on a unique machine and from a unique IP handle is usually an urgent-enough sign for the SaaS platform that requires revalidation and probably, reauthentication. In the true world although, malicious actors usually efficiently use stolen tokens to check in to the system on behalf of the reliable person, whereas circumventing passwords, one-time codes, and different infosec protections.
One other frequent state of affairs is focused phishing that depends on faux company web sites and, if required, a reverse proxy like evilginx2, which steals passwords, MFA codes, and tokens too.
Bettering SSO safety
Study your SaaS distributors. The infosec workforce can add SSO implementation of the SaaS supplier to the checklist of questions that distributors are required to reply to when submitting their proposals. Particularly, these are questions on observing varied token restrictions, validation, expiration, and revocation. Additional examination steps can embrace software code audits, integration testing, vulnerability evaluation, and pentesting.
Plan compensatory measures. There’s quite a lot of strategies to stop token manipulation and theft. For instance, the usage of EDR on all computer systems considerably lowers the danger of being contaminated with malware, or redirected to a phishing website. Administration of cellular units (EMM/UEM) can kind out cellular entry to company assets. In sure instances, we advocate barring unmanaged units from company companies.
Configure your visitors evaluation and identification administration techniques to have a look at SSO requests and responses, in order that they’ll determine suspicious requests that originate from uncommon shopper purposes or non-typical customers, in surprising IP handle zones, and so forth. Tokens which have excessively lengthy lifetimes might be addressed with visitors management as nicely.
Insist on higher SSO implementation. Many SaaS suppliers view SSO as a buyer amenity, and a purpose for providing a dearer “enterprise” plan, whereas info safety takes a again seat. You may companion together with your procurement workforce to get some leverage over this, however issues will change slightly slowly. Whereas speaking to SaaS suppliers, it’s by no means a foul concept to ask about their plans for upgrading the SSO characteristic – corresponding to help for the token restrictions talked about above (geoblocking, expiration, and so forth), or any plans to transition to utilizing newer, better-standardized token trade protocols – corresponding to JWT or CAEP.
