The average number of SaaS apps is now at 89 per organization, according to Okta, up 24% since 2016. All of those apps have become one of the most critical cybersecurity challenges-and given- emphasis of a new report on how vulnerable they are.
In its annual report on SaaS Application Security Insights (SASI), SaaS Alerts said it analyzed 136 million SaaS security events in 2021 and found that the most common critical SaaS alerts were geographical violations, connections to third-party apps, and multiple account locking, and guests. Accounts and file sharing are leading causes of unnecessary security risk.
SaaS Alerts looked at more than 2,000 SMBs for the report, and because the company’s SaaS app security and management platform is only available through the MSP channel, the data is specifically focused on SMBs served by managed service providers (MSP).
Also read: Top 15 Managed Security Service Providers (MSSPs) of 2022
Russia and China Top Threats
The report found that the most successful unauthorized logging came from Russia, where China, Vietnam, Korea and Brazil were the next largest sources (see chart below). These attacks – using valid credentials – are difficult to identify without behavioral tracking and geographical whitelisting, the report says.
While some of those attacks may be state-sponsored, many are less sophisticated hackers who find it easier to acquire skills. And some governments – particularly Russia – have allowed cyber criminal groups to operate from their country in exchange for cooperation and promises not to attack the host country. The Ragnar Locker, for example, ends when it encounters a machine in the former USSR countries.
Also read: Best Ransomware Backup Services
Most Common Critical Alerts
The most common critical alert, “User Location: outside of approved location,” is when there is a successful login to a user account from outside an approved location or IP address range. While those alerts are sometimes false positives due to incorrect configuration of approved locations or unexpected user travel, they nonetheless indicate a high probability that a malicious actor has succeeded in compromising an account, says the report.
“SaaS Integration Alert” states that account credentials were used to connect to a third-party application, which can lead to the sharing of data and other account information between SaaS apps.
“Users often establish these connections for convenience without regard to potential security breaches,” the report said.
“Multiple Account Lockouts” refers to accounts that have been locked out four or more times in a 12-hour period. For an account to be locked means that “the malicious actors have succeeded in verifying a correct account name, and they are actively (usually programmatically) trying password combinations to gain access to the account,” says the report.
There are approximately 10,000 brute force attacks against nearly 130,000 MSP user accounts monitored by SaaS Alerts.
Guest Accounts, File Sharing are Risks
Other common vulnerabilities include guest user accounts – the report found that 42% of monitored accounts are guest accounts – and file sharing activity.
Organizations should set up guest accounts with the minimum required access and permissions and to continuously monitor the activity of these accounts and disable unused guest accounts when expired. they do their intended use, says SaaS Alerts.
Companies should also monitor SaaS file sharing activity “to determine if users are effectively and safely using document creation and file sharing,” the report said. “End users should be trained to ensure they terminate ‘old’ share links to maintain proper security hygiene and reduce risk.”
Also read: Best Incident Response Service for SMBs
Office 365 is the Most Attacked App
Not surprisingly at its size, Office 365 keeps security pros busy, with more than 110 million events, nearly 1% of which trigger alerts. Google Workspace, Salesforce and Dropbox will follow in terms of security activity.
‘Major Security Misconfiguration’ in ServiceNow
SaaS security provider AppOmni reported that 70% of ServiceNow tested instances were found to leak data through incorrect customer Access Control List (ACL) configurations.
AppOmni Offensive Security Researcher Aaron Costello discovered that ServiceNow’s external interfaces were exposed to the public in a way that could allow a malicious actor to extract sensitive data from records.
The issue was defined as an “incorrect configuration” resulting from a combination of customer -managed ServiceNow ACL configurations and excessive granting of permissions to guest users, AppOmni said.
‘These types of misconfigurations are common on major SaaS platforms’
“These types of misconfigurations are common on major SaaS platforms because of the complexity that inevitably comes with the high level of functionality, flexibility, and extensibility of SaaS,” the company said.
“Securing SaaS is more complex than just checking a few settings that enable strong authentication for users,” AppOmni CEO and co-founder Brendan O’Connor said in a statement. “SaaS platforms have become business operating systems because they are very flexible and powerful. There are many valid reasons for workloads and applications running on a SaaS platform to interact externally, such as integration with emails and text messages or host a support portal for your customers.
“SaaS adoption increased during the pandemic but unfortunately, investments in people, processes, and technology to secure and monitor SaaS did not continue,” O’Connor added. “In the AppOmni experience, significant data exposures like this are more common than customers realize.”
Organizations have long used Role-Based Access Control (RBAC) to provide permissions for users to access resources on a SaaS platform, the company said.
“An important aspect of RBAC is the ability to allow public access to information within your‘ database, ’which can be a forum, online shop, customer support site, or knowledge base. The challenge is ensuring the right level of access when organizations update or customize SaaS applications or onboard new users. ”
Read next: Top Cloud Migration Services Providers 2022