The SaaS market has grown by over 1,000% in the last 12 years to a point where the average organization now has some 843 SaaS applications. Unfortunately, most organizations’ cybersecurity has failed to keep pace.
While administrators are trained to watch out for third-party applications in general, they usually regard the top business systems as secure from intrusion, assuming everything in the Microsoft Apps garden remains safe and secure.
Lulled by complacency, they are often unaware of exactly which apps are connected to the corporate system. Salesforce users can, for example, “connect” an app without actually installing it. Although they can use the app, the information gets logged under the user, not the application, which makes it difficult to track or to detect and investigate issues.
So if a user re-installs an app without disconnecting first, this does not typically invalidate the old API key. If the key has been lost, leaked, or stolen, reinstalling the app won’t close the vulnerability. The old tokens are now also concealed and not easily accessible to the user via the interface, so the product owner may even be unaware of their existence. Administrators must stay aware of lost, leaked or stolen keys so that they can revoke them immediately.
However, most organizations lack the macro- and micro-visibility needed to secure their systems fully. Security team need macro-visibility to see which shadow SaaS services they have at any given time. Most companies rarely have a full grasp of all their connected third-party applications or where API tokens are shared. Security teams also need micro-visibility to understand what each SaaS service does and what permissions it has. For example, read-write access to a sales enablement tool can sync, unchallenged, to Salesforce.
Without this visibility, administrators have no clear picture of how their rapidly expanding ecosystem of applications behaves and whether they are missing malicious activity. This problem has now become far more widespread than most administrators realize. North Carolina State University recently scanned 13% of all public GitHub repos and found over 100,000 of them contained API keys and cryptographic tokens, which hackers can use to extract data from those respective systems.
Threat actors have long managed to compromise users of even the best-known and most trusted systems to execute expert third-party attacks. In 2019, a misconfiguration in the popular Jira project management software exposed a great deal of data on hundreds of companies; among those exposed were NASA, Google, Yahoo, Gojek, HipChat, Zendesk, Sapient, Dubsmash, Western Union, Lenovo, 1Password, Informatica, the United Nations, and the governments of Canada and Brazil. Worse, the exposed URLs were crawled by Google – and that’s how a whistleblower discovered the sensitive data.
What’s now referred to as “Ghost SaaS” has become far more common than most cybersecurity professionals realize. Dozens of online platforms, both SaaS and social networks, have merged, changed direction, or shut down completely over the years. There’s a constant, active darknet market for sales of defunct online platforms open to threat actors of all kinds seeking entry points into every type of organization. The stock of redundant platforms constantly gets renewed as services go out of business, sell their assets, or simply forget to renew a domain.
Security teams need to start by discovering what SaaS services the staff actually uses. Then determine if those services – their purpose, location, ownership – have changed. If that’s the case, then vet them once again. If they are insecure then security teams have no alternative but to stop their usage in the organization immediately.
Although security teams must communicate directly with staff to retain caution when dealing with all types of third-party apps, they should consider using an automated intelligent system that will examine all connections in and out of the organization’s network, even connecting to the domains of ghost SaaS platforms.
The argument for encouraging staff to use SaaS applications from trustworthy developers has become overwhelming in terms of increased efficiencies and cost control. But, in doing so, companies across all sectors expose themselves to countless unforeseen vulnerabilities to today’s increasingly professional and well-organized cyber criminals. Moving forward, it’s now crucial for all types of organization to conduct immediate, comprehensive and ongoing monitoring of all SaaS applications connected to the corporate network.
Misha Seltzer, co-founder and CTO, Atmosec
