What do the DNC hacks and the current attempts by hackers to interfere with the French election have in common?
Give up? They both use Open Authorization (or OAuth) to gain what many would consider excessive levels of information about users, and various news outlets featured stories on each recently.
So What’s This About OAuth and Hacking?
Infamous hacking group Fancy Bear (alternately known as Pawn Storm and APT 28), believed to be behind the DNC hacks, has been using OAuth-connected, third-party cloud apps to support their attacks.
Fancy Bear is now suspected to be interfering with the current presidential elections in France. In short, OAuth-connected cloud apps are continuing to gain recognition as a unusual and highly risky threat vector.
What Exactly is a Connected Third-Party App? Why Are They Dangerous?
Cisco Cloudlock has discovered over 275,000 unique, OAuth-connected cloud applications, with organizations having an average of 750 unique OAuth-enabled applications in their environment.
As reported in the Q2 2016 Cloud Cybersecurity Report, over one in four of the applications are considered high-risk due to the extremely high level of permissions users grant to the application, often including full access to the files within their cloud environment and the ability to modify, delete, and externalize files.
Some applications are benign in intent but request excessive permissions to function, while others are malicious in intent, aimed at leveraging the permissions granted to them to accomplish nefarious tasks.
The danger is only increased by the fact that standard best practices and security tools won’t help. The risk of the applications is unique, as they may be self-enabled (or “connected”) off the corporate network.
This off-network, cloud-to-cloud traffic is a blind spot for the vast majority of organizations today. Changing passwords, meanwhile, won’t solve the problem, as these applications persist until the token they have been granted is removed.
What Can Be Done?
Cisco Cloudlock (formerly CloudLock) has been defending against malicious and excessively privileged OAuth-connected applications for years. As a cloud-native, API-based Cloud Access Security Broker (CASB), Cisco Cloudlock offers Apps Firewall, which enables organizations to gain visibility into and control over this incredibly risky form of Shadow IT.
Cisco Cloudlock provides intelligence to assess application risk, including the access scope of the application, a risk level score, and the Community Trust Rating (CTR), a crowdsourced security risk rating of third-party applications based on anonymized user data (how many users have trusted versus banned the application).