Experts Blog

Whether you realize it or not, you’ve shared your personal information. Perhaps you’ve done it by filling out an online application to a local gym, purchasing a Mother’s Day gift over the internet, or updating your benefits information with your employer’s HR services. In many of our virtual transactions, we end up willingly and sometimes unknowingly sharing personally identifiable information (PII) with online entities and their third-party affiliates. 

Knowing cybercriminals would love nothing more than to get their hands on your sensitive data, online vendors and our own employers turn to third-party identity and access management service companies like Okta to protect customer and employee information.

But what happens when those same identity and access management companies to which we put our trust (and our PII) into fall victim to a third-party breach themselves?

On March 21, a hacking group known as Lapsus$ posted what appeared to be visual proof that the cybercriminals had breached Okta servers. And though Okta has since attempted to frame the incident as “an unsuccessful attempt to compromise” a vendor account, Lapsus$ have reveled in the fallout, taking repeated victory laps on social media, across the dark web, and Okta’s own Telegram channel. Meanwhile, employers, employees, customers, and much of the cybersecurity community are left angry and confused. 

Okta has been roundly criticized for the length of time between when the company was first notified of suspicious activity on its servers in January, and its initial public comment following the Lapsus$ Tweet in March. “[Okta] can still turn this around,” Fortalice CEO Theresa Payton told the Wall Street Journal recently, “But it’s going to require transparency in their communications.” 

As more information come to light, there are still a host of jarring questions left to answer:

• “We use Okta, is my company in danger?”
• “What if one of my third-party system connections is adversely affected by this event?”
• “If even Okta can get hacked, what am I supposed to do?”

We’re glad you asked.

What You Can Do Right Now

In the near-term, Fortalice recommends all organizations increase monitoring for all system administration (or “superuser” level) activities for the previous 90 days, and ensure heightened monitoring continues. Additionally, you should test to ensure multi-factor authentication is working as you intended. (Specifically, Okta users should consider taking the extra step to reset passwords.) Lastly, take time to thoroughly review any failed login attempts, and track down any access to your systems from unknown IP addresses.‍

How Fortalice Can Help

We at Fortalice believe preparation is the best strategy to protect an organization, so if you’re looking to strengthen your cybersecurity posture and prepare for the next cyber threat, here’s how Fortalice can help:

1. Review your incident response plans (IRPs) and ensure everyone on your IRP team has an old-school paper copy of the playbook or emergency online access. Need help refreshing your IRP? Fortalice’s risk and compliance experts are ready to review your existing policies and procedures. We’ll advise you on necessary improvements to meet industry best practices, as well as steer you toward additional protections.
2. Ensure you have encrypted backups of systems and data stored out of band (also commonly referred to as an immutable set of backups). With their deep understanding of complex defensive security concepts, our industry-certified engineers can help you ensure your organization is prepared for future threats.
3. Review your systems, data, authorizations, and access points, and implement micro-segmentation wherever feasible. Feeling confident in your current cybersecurity posture? Put that feeling (safely) to the test against Fortalice’s Offensive Cyber Operations. Our experts can mimic sophisticated cyber threats to test your systems and produce actionable assessments so you can stay ahead of the bad guys.

For additional information on Fortalice Solutions service offerings, contact the team via email at watchmen@fortalicesolutions.com.‍

To report a cyber incident, you can call the FBI's 24/7 CyWatch at (855) 292-3937 or email them at CyWatch@fbi.gov. And for the latest from Okta on the January 2022 Compromise: https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/.

Fortalice In the Media

• The Wall Street Journal - Okta Under Fire Over Handling of Security Incident