Multifactor Authentication Shouldn’t Be Optional – Source: www.databreachtoday.com

Cloud Security
,
Identity & Access Management
,
Security Operations

Cloud Customers Should Demand More Security From Providers

Mathew J. Schwartz
(euroinfosec)

•
July 11, 2024    

The theft of terabytes of Snowflake customers’ data through credential stuffing hacks highlights how multifactor authentication shouldn’t be optional for safeguarding accounts.

See Also: Identity Security Clinic

The Montana data warehousing company now stands as a case study in the perils of not requiring all accounts to be secured using MFA and not giving admins the tools they need to monitor for such attacks.

Beginning in April, attackers who appear to have been financially motivated executed a campaign against Snowflake’s customers. They took username and password pairs obtained from other sources such as info stealers and data leaks and tested them out against Snowflake’s login screen to see which ones worked.

Snowflake did offer MFA to users via the Cisco Duo app but until just days ago, it didn’t allow administrators to make it mandatory. That changed Tuesday, when Snowflake announced a slew of free, post-breach security improvements plus better tools for identifying suspicious behavior. The company said MFA will also be active by default for all new accounts and promised to regularly nudge existing users who fail to activate it (see: After Customers Get Breached, Snowflake Refines Security).

“Bravo for them. Sad that it took major hacking for them to move in this direction,” said Ian Thornton-Trump, CISO of Cyjax.

Automotive parts supplier Advance Auto Parts this week reported it’s notifying 2.3 million individuals that their personal information, in some cases including Social Security numbers, was exposed via the breach of its Snowflake account. Other publicly named Snowflake customers who lost data include Santander Bank, the Los Angeles Unified School District, luxury retailer Neiman Marcus and Live Nation Entertainment’s Ticketmaster (see: Victims of Snowflake Data Breach Receive Ransom Demands).

Using MFA isn’t foolproof, but does help stop many types of attacks. Not using MFA has been a factor in numerous major breaches, including attacks against Australian private health insurer Medibank, UnitedHealth Group’s Change Healthcare unit and genetic testing service 23andMe.

“We have gone a long way from having MFA as an optional feature,” Thornton-Trump said. “Do or do not – there is no try – and we now must do MFA.”

How long will it take vendors that don’t offer such capabilities to feel the force of MFA?

“It is clear from recent breaches that having MFA available to your clients is table stakes for any cloud service provider,” said Brian Honan, head of Dublin-based cybersecurity consultancy BH Consulting. “Sadly, not all cloud service providers have MFA solutions in place or indeed, in many cases, MFA is an optional extra that incurs additional charges.”

Whatever a vendor’s contract might specify, as soon as a provider takes a customer’s money, protecting the customer’s data – as well as helping them to do so – becomes mandatory, Thornton-Trump said.

“If you look at many of these credential breach types of attacks, we’re not even talking super-sophisticated APT stuff,” he said. “This all comes down to being able to brute-force credentials on either unmonitored or poorly configured portals that don’t have account lockout after so many failed attempts, no kind of blocking for a particular IP address and so on. We’re better at protecting websites from nasty things using CDNs and web application firewalls than we are our basic customer service-facing portals.”

When such breaches result, arguably not only customers but also service providers are at fault.

“It’s difficult to define proportions of accountability, but what is clear is that security is a joint responsibility,” data breach expert Troy Hunt, founder of the free Have I Been Pwned? breach notification service, recently told me. “If credentials have been obtained by shortcomings on behalf of the customer then that’s on them but equally, platforms like Snowflake need to work on the assumption that these attacks are common and provide resilience against them.”

Customers: Demand More

Examples of more widespread security shortcomings abound. The nation-state hacking campaign against Microsoft 365 users, including the U.S. government, that came to light last year revealed that many licensing options lacked key security features. “At a very basic level, many of those plans don’t have logging capabilities. So, you have your data in the cloud, you can’t see what’s going on, and this is a big problem. It’s a big issue,” said Honan, who founded Ireland’s first computer emergency response team.

Customers must demand robust identity and authentication as a basic level of service, he said. “It is time that customers use their spending power to demand better security solutions from their cloud service providers and that cloud service providers step up to the mark in the area of security.”