As remote work becomes a more permanent practice, the country’s top cybersecurity agency is warning that poor cyber hygiene can make an organization’s cloud service configuration ripe for adversarial attacks.
An analysis report released Wednesday from the Cybersecurity and Infrastructure Security Agency outlines security practices for organizations that use cloud services, drawing from recent incident reports of recent successful cyber attacks.
“These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services,” the report reads. “Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.”
The analysis was not explicitly tied to the SolarWinds Orion software compromise, though CISA has been assisting agencies and other affected organizations with the fallout from that attack.
The most common attack types include phishing and brute force login attempts. Once inside the system, the malicious actors redirected emails to their own accounts, searched for sensitive keywords and set up systems to prevent legitimate users from seeing phishing warnings. In one incident, attackers used stolen session cookies to bypass multi-factor authentication protocols.
While organizations are always at risk for these types of attacks, remote-work practices such as forwarding emails from a professional to a private account and accessing the corporate system on an easily-hacked home network increase vulnerabilities.
CISA offered 21 recommendations for organizations to strengthen their cloud security practices. They included establishing a baseline for normal network activity, reviewing user-created email forwarding rules, enforcing multi-factor authentication and creating blame-free employee reporting for suspicious activity. CISA also offered four additional points of recommendation for users of Microsoft Office 365, whose suite of cloud-based products was caught up in the SolarWinds breach.
The Microsoft-specific recommendations include setting a limit for unsuccessful login attempts and using tools to investigate and audit breaches.