Saas Applications: the hidden threat in plain sight

Saas Applications: the hidden threat in plain sight

Cryptocurrency holdings targeted by HubSpot hackers

On March 18, 2022, HubSpot discovered that a bad actor, using a compromised HubSpot employee account, breached almost 30 portals of its clients. The attack seems to have been targeted at HubSpot customers in the cryptocurrency industry.

The companies affected by the breach have said their operations were not affected and they have not lost any funds.

How might you feel if your cryptocurrency was stored with one of those companies? Disquieted, at the least. And so the lingering questions and disquiet in those firms, and among their clients, are object lessons in the importance of guarding any SaaS against hackers.

When businesses subscribe to a SaaS service, they want to trust that security issues are buttoned up, keeping their data, customers, and finances safe. But MSPs, and indeed any business, should be aware of some risks from any SaaS – and how those risks can be mitigated by both common sense measures and with technical hardening of defenses.

SaaS applications can be especially vulnerable for these two reasons

First, because of market pressure from cutthroat competition and clients who constantly demand better, more innovative capabilities, SaaS applications are under constant, often rapid development.  This means that even if an application is securely buttoned up at any given moment, hackers can hope (and regularly probe) for security vulnerabilities inadvertently created by an update, bug fix, or new version.

Second, SaaS applications are almost universally cloud distributed, meaning they bring vulnerabilities including gaps in security that can arise when companies share data or don’t have clearly delineated responsibilities for security. In addition, these relationships can encounter vulnerabilities from inadequate due diligence of one or more partners. (Such partnerships can even include a branched chain of partnerships that further dilute responsibility and increase vulnerability down the line.)

The most common ways hackers gain access

Although highly technical hacks do occur, in which dark-side computer engineers or programmers find and exploit zero-day holes in security or other public-facing, code-based vulnerabilities, these events are relatively uncommon compared to the more prevalent, less dramatic exploits. The most common breaches occur via misconfigurations, using credentials obtained under false pretenses, and using built-in capabilities of the software via valid accounts.

Phishing is just one way hackers get in

Phishing is when an attacker deceives a legitimate user into revealing login credentials or other information that facilitates an exploit. It’s extremely common, because it requires almost zero technical ability and is virtually costless via email or social media communication. Consequently, there are always rivers of phishing attempts flowing against the walls of any organization with data to steal. Sophisticated phishing includes spoofed email apparently sent from trusted accounts, in effect impersonating trusted co-workers or partners.

To avoid and limit the damage from phishing exploits, MSPs and partners can deploy email filters and anti-spoofing technology to prevent the phishing emails from ever landing in inboxes. They can also conduct employee training for recognizing phishing attempts, implement multi-factor authentication, and opt for alternative login credentials such as biometrics,  physical smart cards, or USB drives. Finally, since phishing exploits often depend on the user privileges assigned to the stolen credentials, it’s best to limit all user privileges to only what a given role requires.

The biggest vulnerabilities are in software misconfiguration

Because SaaS applications are almost universally user-configurable, the biggest vulnerabilities are in software misconfiguration. Any SaaS application, no matter how reliable and secure it may be when configured correctly, can become highly vulnerable with incorrectly configured settings. Furthermore, configuration and permission settings are usually more complex than users may realize, and can result in surprising and alarming levels of vulnerability.

A case in point: a misconfiguration of  Microsoft Power Apps, a popular low-code platform for app development, left open and vulnerable the personal data of 38 million end-use customers in August of 2021. The missteps were made by a total 47 entities, companies, and governmental bodies in the United States, including American Airlines, car Ford, J.B. Hunt,  and New York City Schools.

SaaS app misconfigurations resulting in potentially disastrous data leaks are an ongoing concern, since every app requires configurations that are designed to allow the right users to access information, while keeping it hidden from others. Fortunately, the solution is straightforward, if sometimes complex – make sure all settings, with particular attention to security and access settings, are configured correctly. Since low-code apps are designed and sold for low-code use, it’s never a bad idea to hire an expert consultant to audit security settings after an installation, major upgrade, or migration.

3rd-party apps and plugins

Low-code apps allow users to modify software for specific, efficient use and higher productivity. That’s the whole point. But embedded in this strength are potential vulnerabilities which must be guarded against. Misconfiguration is only one of those potential vulnerabilities. Another is 3rd-party plugins and apps designed to work with no-code or low-code SaaS apps.

3rd-Party apps and plugins should be published by reliable developers, also configured correctly, and used only with oversight from an IT department. It’s crucial to manage which apps and plugins are in use, keep an inventory of them, and use a whitelist of approved apps. You want to be sure that a user doesn’t download their own version of an app, or use an app or plugin that isn’t approved.

Buttoned-up access control

Access control management fundamentals include giving access to data, on a highly granular basis, only to those users who need it, and for as long as they need it. It’s important to have built-in to your management processes periodic reviews of who has access to what, and removing access for employees that have departed the company or who no longer have a need.

Multi factor authentication

Especially for sensitive data, multi factor authentication (MFA) is a key safeguard. Also called two-step verification, it creates a significant extra level of security as it requires sign-ins to include not only a username and password, but also another authentication step which can include another item of knowledge, proof of access to a physical device (smartphone or USB key), or biometric data (fingerprint or eye scan or face recognition).

Logging as a crucial defense

The behavior of bad actors inside a system differs, often dramatically, from the behavior of legitimate users, and so logging is a crucial defense. ​​Capturing logs is among the most fundamental cybersecurity processes. Logged activity can provide the information required to track down or prevent a cybersecurity breach.  That’s why logging, together with machine or human analysis of logged data, is critical for security.

Organizations looking for unified security logging in cloud SaaS environments may need to turn to specialized 3rd-party solutions, since native logging in SaaS can prove less than adequate due to multiple dashboards,  log files, users, mobile devices, remote machines, and level of subscription.

Cyber loss insurance

Just as no driver, no matter how careful, and no matter how safely designed the car, can be 100% sure no accidents will occur, and just as no homeowner or business can be 100% sure a fire won’t occur, no MSP or other business can guard with 100% certainty against a successful cyber attack.

Implementing the defenses sketched in this article not only hardens your defenses and makes your data and business safer, it also puts you in a position to purchase cyber loss insurance.

Data loss and data breaches are at least on a par with risk of fire and theft, for which responsible leaders purchase insurance against loss. Cyber loss provides an additional level of security for your business – even in the event that a cyber loss occurs.

What the NetD, Verizon, and Cyentia Reports tell us about the present and future state of cyber threats and cyber insurance

What the NetD, Verizon, and Cyentia Reports tell us about the present and future state of cyber threats and cyber insurance

The past year has been overwhelming in many ways, but cyber threats really took off and became a primary concern for all businesses, no matter the size. The 2022 Verizon Data Breach Investigations Report (DBIR) summarizes four key paths, all of which pervasive and should be a focus for organizations: Credentials, Phishing, Exploiting vulnerabilities, and Botnets.

Ransomware Biggest Concern

This year, ransomware threats have continued to rise at almost 13% and Ransomware-as-a-Service has been become increasingly popular. Blocking the 4 key paths mentioned above helps to block the routes ransomware commonly uses to take over your systems. The threats we faced in last year such as Solar Winds, Log4j, and Kaseya showed us how one supply chain incident can lead to a wide range of consequences.

The Cyentia Unit 42 Ransomware Threat Report 2022 shares that the average ransom demand on cases handled by Unit 42 last year was 2.2 million, and the average payment rose 78% to 541,010. According to the  NetDiligence Claims Study, the average total cost for a ransomware incident for SMEs is $267,000 and $16.6 million for large companies. The average costs for business interruption are $316k total for SMEs and $50 million for large companies.

Human Risk is Cybersecurity Risk

Human error continues to be a trend that drives data breaches; often influenced by misconfigurations of cloud storage, stolen credentials, phishing, or other simple security errors. People continue to play a large role in incidents and breaches, so don’t discount the importance of employee awareness training and the risk your own employees pose to your organization.

Data Breaches are a concern, especially as they are now often part of a ransomware attack
Some of the main causes of data breaches were use of stolen credentials, ransomware, and phishing. Web applications and email are the top two vectors for breaches, followed by carelessness, which are errors such as mis-delivery and misconfiguration- often human errors. The next vector is Desktop Sharing Software such as RDP and third-party software that allows users remote access other devices. It is important to note that if it’s easy for you to log, it’s probably not too difficult for a hacker either.

It’s Never Just One Thing

It is important to note that the pattern of system intrusions can consist of complex attacks that involve a combination of actions such as Social, Malware, Hacking, and Ransomware, and even threats originating from partners and vendors. In the past year, we learned the importance of choosing your partners and vendors wisely with all the third-party and supply chain breaches.

Top Causes of Loss for SMEs

According to the NetDiligence study, the top causes of Loss at SMEs are ransomware, hackers, business email compromise, staff mistakes, and phishing. These categories accounted for 70% of claims and 80% of total incident cost. The top affected sectors are consistent with the past few years: professional services, manufacturing, healthcare, technology, retail, and financial services.

Cyber threats are becoming more sophisticated, and cyber insurance is now more important than ever to your business. Luckily, if you are incorporating the necessary security controls to combat these threats, you are putting yourself in a better position to attain cyber insurance with better pricing and better terms. Read the reports for yourself and keep your organization educated on the trends in cybersecurity and cyber insurance, and very importantly, put security controls in place to combat all key paths and threat patterns.

How to protect your business in our ever-changing cybersecurity landscape

How to protect your business in our ever-changing cybersecurity landscape

Our nation has been facing some serious cybersecurity threats recently. A year ago, the nation was hit with the Colonial Pipeline ransomware attack that showed us how serious these threats really are. Other incidents such as the Kaseya hack and Log4Shell vulnerability showed businesses they need to prioritize their cybersecurity to stay on top of these evolving threats.

Currently, we are expecting an influx of phishing threats due to Russia’s war in Ukraine and bracing ourselves for other types of threats. Because of these recent events, the cyber insurance market is hardening; carriers are increasing their requirements, raising their premiums, and getting their war exclusion policies in order. There are several things businesses can do to protect themselves, their clients, and keep themselves insurable.

When it comes to phishing campaigns, the hacker is after your personal/sensitive information, usually trying to take control of your systems. Employee cybersecurity awareness training is crucial to combating these types of phishing attacks. These threats often use fake social media profiles, acting as recruiters, or impersonating an administrative role at a trusted company, sending malicious emails attempting to steal information and compromise your system. In fact, many insurance carriers are requiring employee cybersecurity training as well as the following and more.

  • Patch Management
  • Email Filtering
  • Offsite Backups and Backup Testing
  • Multi-Factor Authentication (particularly for admin and remote access)
  • Endpoint Detection and Response (EDR)
  • Next-Generation Anti-Virus
  • Security Awareness Training

Luckily, having these security controls in place will help you better protect yourself and your clients, while getting you better coverage for lower rates and keeping your prepared for our nation’s next threats.

More phish in the digital seas this year

More phish in the digital seas this year

“We’re going to need a bigger boat.” There’s more phish in the digital seas this year.

Researchers from Kroll analyzed data from security incidents they responded to during the first quarter of 2022. The analysis showed a 54% increase in phishing incidents for initial access compared to the first quarter of 2021.

The analysis also showed ransomware attacks dropped 20% between Q4 of 2021 and Q1 of 2022, partially due to law enforcement’s disruption of malicious activity. However, data collected from this quarter suggests ransomware attacks may pick up again. Recently, ransomware groups have been getting involved with Russia in the war against Ukraine, which may lead to some large threats.

How can businesses ensure they don’t fall victim?

Email attacks from Russia are already on a surge. Especially now, be cautious of any suspicious emails and double check the sender. Many phishing attacks are sending legitimate looking emails from administrative members or CEOs of organizations. If something doesn’t seem right, reach out to that person directly. Educate your employees on what to look for and how to not fall victim to these types of attacks through security awareness training and phishing simulations.

What can we learn from the Okta breach?

Okta has recently admitted to making a mistake by delaying the disclosure of a hack that occurred in January. Okta says that in January the company believed this was an unsuccessful account takeover by Lapsus$ data extortion group, targeting a Sitel engineer that required no further action. This “attempt” impacted 366, 2.5% of Okta’s customers. This was an issue of Incident Response gone bad. The cause was a hacker obtaining Remote Desktop Protocol access to a Sitel employee’s laptop.

Another similar incident is the Blackbaud hack in 2022, where the company identified a months-long ransomware attack, paid an undisclosed ransom, and the hacker had already compromised the data of over 120 organizations. The company faced criticism for downplaying the incident and waiting weeks to disclose information related to the attack.

Events like these highlight the importance of having strong Incident Response plans in place, including plans on communication in the event of an event, as well as testing and practicing these procedures before an incident occurs. Take this as a lesson and keep your company and your clients secure, by doing the necessary preparation, properly investigating if you notice anything suspicious, and having cyber insurance in place before an incident occurs.

Ukraine is changing the way we need to think about cybersecurity.

Ukraine is changing the way we need to think about cybersecurity.

CISA (The Cybersecurity and Infrastructure Security Agency) is warning organizations that Russia’s invasion of Ukraine could include malicious cyber activity against the U.S. and stated that “evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks”.  CISA asks that organizations report any malicious cyber activity. Additionally, during this time, every organization should adopt a heightened cybersecurity posture to be prepared to respond in the event of a cyber incident.

CISA provides recommended actions and resources to reduce the likelihood of a cyber intrusion, quickly detect a potential intrusion and ensure the organization is prepared in the event of an incident. These actions include but are not limited to:

  • Require MFA for all remote, privileged, or administrative access to the organization’s network.
  • Ensure all software is up to date (prioritizing known exploited vulnerabilities identified by CISA).
  • Disable all ports and protocols that are not essential to the business.
  • Confirm the organization is protected by antivirus/anti-malware software and update signatures in the tools.
  • Routinely test backup procedures and have an incident response plan in place.
  • Conduct employee awareness training to educate all personnel on how to prevent and spot a cyber-attack and improve your organization’s overall digital wellness.
  • Do not click any links that seems suspicious.

If you have been neglecting your digital hygiene, now is the time to get back on track, CISA advises organizations to plan for the worst-case scenario. Reference the recommended actions and materials provided by CISA and keep your organization educated and up to date on the potential risks and the importance of digital hygiene at this time.

The Importance of Cybersecurity in the Healthcare Industry

The healthcare industry has been digitally transforming over the past few years, especially due to the global pandemic. With this increase in technology comes an increase in risk and greater difficulty protecting patient privacy. Healthcare providers already have many crucial components to manage such as patient privacy and care, as well as the numerous compliances and regulations. Now that cyber-attacks are on the rise, healthcare providers are also working to keep their data and systems secure, but cybercriminals are taking advantage of this busy time.

Cybersecurity is a bit different and more complicated when it comes to healthcare and medical data. There are more digital systems than we typically realize. Patients fill their prescriptions and schedule appointments online. Not to mention heating, ventilation, air conditioning, infusion pumps, and many other systems that can be compromised by cybercriminals. The impact of a ransomware attack on healthcare data will be a much larger than most other industries because the data is extremely sensitive, and lives depend on it.  

According to Deloitte experts, the primary concerns for the healthcare industry are phishing, man-in-the-middle attacks, attacks on network vulnerabilities, and ransomware. To combat these types of attacks, clinics need to incorporate employee cybersecurity training, so that employees are educated on digital hygiene and know how to spot a threat. Clinics should also focus on data usage control, by monitoring, blocking, and logging any malicious activity, as well as implementing strict access rights (based on least privilege). Additionally, with mobile phones, apps, and other devices being more commonly used by administrative personnel, it is crucial to monitor any remote devices and disable any nonessential accounts. Businesses in any industry should be incorporating MFA, regular backups, and regularly updating software.  

The healthcare industry is growing rapidly, and so are cyber threats. If clinics can execute these security measures and keep up with them, they will be in a much better place to withstand any threat that arises and keep their data and patients secure.    

How Phishing is Leveraging Social Media

How Phishing is Leveraging Social Media

Social media platforms like LinkedIn, Twitter, and Facebook, as well as simple text messages have become a popular vector for phishing attacks. As phishers step up their scams, organizations need to keep their employees informed on how to spot them.


LinkedIn is widely considered a trusted domain. This means that any malicious emails that are leveraging LinkedIn most likely will not get blocked by your anti-spam and malware filters. The “redirect” feature for business on LinkedIn that allows you to track ad campaign performance can also unfortunately be used by hackers to redirect users to phishing scams. If you are unsure whether a message is legitimate or not, take a pause and do your own research on the site or service in question.


You may have heard of the July 15th Twitter hack that compromised high-profile, verified Twitter accounts. This phishing attack sent out fake tweets with links to a phishing site designed to steal cryptocurrency. Although people were scammed out of money, it could have been much worse, and information could have easily been stolen. If this type of scam can happen to celebrities, political leaders, and large corporations, it can happen to anyone.


Earlier this year, Facebook users were warned of phishing campaigns disguised as Messenger chats. When it comes to Facebook, if you are getting unprompted messages from friends or people you know, asking you to click a link or provide any information, just ignore it. If you think it may be legitimate or important, reach out to that person with another means of communication and ask them to be sure.


As if social media scams aren’t bad enough, mobile phishing scams are becoming more popular than ever. With all the buttons and ads that pop up on your phone, it can be easy to let your guard down when it comes to mobile phishing scams. Then there is SMS phishing, which can install malware on your device and significantly control your device functionality. If you receive a suspicious text message, do not open it, and absolutely do not click on any links.

All it takes is one click for a hacker to compromise your device. Mobile security should be a top priority for any organization. With more employees using mobile devices for work and having their social media apps such as LinkedIn on their phones, organizations need to step up their anti-phishing capabilities to keep users secure no matter what device they are working from. Organizations should be including regular security awareness training to help employees understand these threats and how they target individuals and businesses. Phishing can come from any source, and you need to be suspicious of any and every suspicious message or link you come across.

Log4j: FTC Warns Organizations they may face Legal Action

The Federal Trade Commission (FTC) released an alert, warning companies that they may face legal penalties if they aren’t taking the proper steps to mitigate Log4j vulnerabilities to protect consumer information. Earlier this month, FTC officials said there is a “severe risk” to consumer products, software, and applications caused by a vulnerability in the Java logging package. This vulnerability is being exploited by hackers and it is critical that vendors who rely on Log4j take the proper precautions to reduce their likelihood of an attack.

An example of this is the Equifax breach, which was caused by failing to patch a known vulnerability. Because of this vulnerability, the personal information of 147 million consumers was left exposed. Equifax paid $700 million to settle actions taken by the FTC. The FTC intends to pursue any companies that fail to take steps to protect consumer data from exposures caused by Log4j, or similar vulnerabilities that may occur in the future.

The FTC advises companies to keep your Log4j software package updated to the most recent version, and reference Log4j Vulnerability Guidance provided by CISA. This FTC alert is a wake-up call to many companies that cyber threats are evolving, and so are security requirements and legal actions that will be taken if they do not take the proper steps to protect consumer information.

Can Employee Personalities interfere with Security?

Can Employee Personalities interfere with Security?

A company’s employees can often be seen as a weakness in terms of cybersecurity. In fact, according to the Verizon Data Breach Investigations report, 3 out of the top 5 threat actions involve human risk.  We all have biases in our thinking that can create risky behavior.  Some even argue that there is a connection between employee personalities and security.

The traits with the highest correlation to information security behavior (positive or negative) are risk taking, openness, agreeableness, and conscientiousness. For example, employees who score high on conscientiousness are less likely to engage in risky behaviors and vice versa. Employees who are natural risk takers and tend to engage in sensation-seeking activities may take chances when it comes to security.

Personality tests like Meyers-Briggs and DISC, have been used by organizations for screening and training purposes for years.  How should an organization use these tests for cybersecurity purposes?   There are no definitive answers, but here are a couple of thoughts:

  1. Build processes that create healthy behaviors. Well documented procedures for systems administration or development with a solid change management process, automated testing tools and peer review are an example of methods to ensure that proper behaviors are deployed consistently and minimize non-compliance. Pilots with decades of experience still use checklists to inspect planes, take-off, land and taxi;  your IT team should as well.
  2. Install tools that minimizes impact of non-compliance. Tools such as Multi-factor authentication, email and web filters and endpoint detection and response (EDR) can go a long way to mitigate non-compliant employee behavior.
  3. Conduct role- and behavior-based security awareness training. Best practice security awareness training states that an organization should provide security awareness training particular to the role the individuals plays in the organization. Consider paying particular attention to training those with non-compliant tendencies.
  4. Ensure that there are proper incident response procedures in place. Even with a fully “compliant” staff from a cybersecurity perspective, stuff happens. Make sure you have a solid incidence response plan and are testing it on at least an annual basis.

Finally, the most important area the organization should focus on is leadership and governance. Spend some time thinking about the personality of the organization’s culture and how it can positively or negatively impact risk behavior. Remember, people will tend to mimic the leadership’s style in everything they do, including cybersecurity behavior. Whether that’s a good thing or not, is up to you.