In June, news broke that gaming giant Electronic Arts was the victim of a breach. According to reports, attackers bypassed the company's security and made off with 750GB of data that contained the source code and debug tools to some of their games, including FIFA 21.
The hackers told reporters that they had buyers willing to shell out a whopping $28 million for EA's property. In its statement, EA acknowledged the breach but said no customer data was taken. At the end of July, after over a month of failing to find a buyer, the thieves decided to leak the data themselves.
The first lesson here is don't believe hackers when they say they have "tons of buyers." Lying comes with the territory.
But that's not what was interesting about this story. The more significant aspect is how the breach should inform our security posture moving forward in the new era of remote and hybrid work.
The Breach – If You Give a Hacker a Cookie
According to reports, the attackers bought a cookie for EA's Slack for $10 on the Dark Web.
Once in Slack, they told the good folks over at the help desk that they were partying over the weekend and lost their phone, so they couldn't get around the multifactor authentication (MFA).
The help desk — trying to help — authenticated the attackers to enter the network. After all, they were in the Slack, so they had already been authenticated as legit employees, right?
Free to roam, the hackers made their way to EA's crown jewels and out the door with the goods.
Adopt a "Remote-First" Security Policy
To be clear, the point is not to blame the help desk person. (That's what interns are for.)
In discussing this story, one person I spoke with asked why the "employee" making the access request to skirt the MFA wasn't asked to deal with this face-to-face. This position might sound reasonable as more people are coming into the office, but it reflects an outdated approach to security.
Organizations like LinkedIn, and plenty of others, have shifted to remote working as the standard. This has meant moving off the network and using identity as the key to access assets in cloud services at all hours, regardless of location.
Our security practices need to reflect this reality. Policies must be able to ensure security without employees having to show up in the physical office, since it might not be a viable expectation or even option in the future.
Three Risk Mitigation Measures for Remote Working
Assume breaches will happen and attackers will make it inside. Our job is to think about how we minimize their ability to cause real damage.
Try starting with these tips.
1. Identify Your Crown Jewels
These are your most important assets. Maybe they are customer details, financial information, IP (source code), or anything else that will cause a lot of harm if it falls into the wrong hands.
Protecting these assets is your top priority. Start by continuously identifying those that fall into this category and stringently restrict access to them with policies. Continuously monitor for violations and remediate to align with policy.
As an aside, it looks like the EA team got its crown jewels assessment right. No valuable customer data leaked, and the hackers were unable to sell/ransom back the stolen data.
2. Limit Access to Assets with the Principle of Least Privilege
In the zero-trust model, we assume compromise. The question is, how to restrict access once attackers make it past the high walls?
Access policies are the closest thing to segmentation in the cloud environment that security teams have real control over. Restricting authorization to assets to the minimum number of people who need it, and what kind of access those people have, is a necessity.
Assessing what that minimum should be depends on your identity blast radius. Think about this like a threat model that looks at the possible consequences of an incident involving your identities. The worse the repercussions, the more careful you should be.
3. Lock Down External Sharing With Third Parties
Business necessity often requires sharing assets with contractors or partners. These can be legitimate shares, but they need to be kept in check.
Have policies in place to ensure your team blocks external access to assets when that access is no longer needed. Think about the principle of least privilege — but a bigger priority because it involves people outside your organization.
Monitoring these policies must be continuous to ensure no violations pop up in between periodic reviews. An automated workflow and remediation mechanism are highly advisable since the scale of this challenge can quickly become unmanageable.
Be Prepared for Maximum Flexibility
With the delta variant driving a rise in infections across 49 states in the US, plenty of organizations may soon find themselves switching back to remote and delaying their return-to-office plans.
For organizations, this means focusing on ensuring they have strong authentication (AuthN) and authorization (AuthZ) tools in place to ensure that identities really are who they say that they are, and then have access restrictions in place for damage control when other protections fail.
Putting COVID concerns aside, remote work is here to stay. Every candidate that comes into interviews wants to confirm that remote work is part of the way we work. It's become a new standard that organizations of all sizes must adjust to.
If your hybrid work security policies are not built with remote as the default, and identity-first security at the core, then you are ill-prepared for the current state of work — let alone the future.