First-gen CASB goes phishing again



It is common knowledge that the Hippocratic oath of medicine taken by all healthcare professionals includes a form of the statement “foremost, do no harm.”   Or, in latin, “primum non nocere.”It is just too bad that cyber security professionals do not adhere to such an oath.  

A large enterprise specializing in petroleum products migrated to Office365 recently.  As part of that migration, they decided to deploy a CASB. Unfortunately for this company, their IT team is stretched thin. So they tested a single vendor and went ahead and deployed the solution.   As it turns out, the cure is worse than the disease, leaving the enterprise in a state of explosive and chronic phishing risk.  Phishing this enterprise is as easy as shooting fish in a barrel. Here is why.

When you go to Office365 and attempt to login as a user at that enterprise, the CASB proxies the SSO page and hosts it at a random domain.  This eviscerates the security of Single-Sign-On, which is predicated on the user entering his credentials only into a trusted identity provider domain. When users are required to enter their corporate credentials into weird sites that are untrusted and disconnected from the normal sphere of trust,  users stop caring.  Users will definitely not enter their personal bank credentials into weird domains, but are happy to enter their work credentials if their employer requires they do so.  As a result, a phishing email sent to any user at the enterprise with a link to a replica of the login page, will cause the user to promptly cough up their corporate credentials.   Furthermore, once users are trained not to care where they enter their corporate credentials, it is very hard to untrain them.  Suddenly, we have every user ripe for phishing for years to come, leading to explosive and chronic risk.


ps: other enterprises have fallen for this before wising up

*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Nat Kausik. Read the original post at: