Click to toggle navigation menu.

SaaS Applications: the hidden threat in plain sight


Cryptocurrency holdings targeted by HubSpot hackers

On March 18, 2022, HubSpot discovered that a bad actor, using a compromised HubSpot employee account, breached almost 30 portals of its clients. The attack seems to have been targeted at HubSpot customers in the cryptocurrency industry. 

The companies affected by the breach have said their operations were not affected and they have not lost any funds. 

How might you feel if your cryptocurrency was stored with one of those companies? Disquieted, at the least. And so the lingering questions and disquiet in those firms, and among their clients, are object lessons in the importance of guarding any SaaS against hackers.   

When businesses subscribe to a SaaS service, they want to trust that security issues are buttoned up, keeping their data, customers, and finances safe. But MSPs, and indeed any business, should be aware of some risks from any SaaS – and how those risks can be mitigated by both common sense measures and with technical hardening of defenses.

SaaS applications can be especially vulnerable for these two reasons 

First, because of market pressure from cutthroat competition and clients who constantly demand better, more innovative capabilities, SaaS applications are under constant, often rapid development.  This means that even if an application is securely buttoned up at any given moment, hackers can hope (and regularly probe) for security vulnerabilities inadvertently created by an update, bug fix, or new version. 

Second, SaaS applications are almost universally cloud distributed, meaning they bring vulnerabilities including gaps in security that can arise when companies share data or don’t have clearly delineated responsibilities for security. In addition, these relationships can encounter vulnerabilities from inadequate due diligence of one or more partners. (Such partnerships can even include a branched chain of partnerships that further dilute responsibility and increase vulnerability down the line.) 

The most common ways hackers gain access 

Although highly technical hacks do occur, in which dark-side computer engineers or programmers find and exploit zero-day holes in security or other public-facing, code-based vulnerabilities, these events are relatively uncommon compared to the more prevalent, less dramatic exploits. The most common breaches occur via misconfigurations, using credentials obtained under false pretenses, and using built-in capabilities of the software via valid accounts. 

Phishing is just one way hackers get in

Phishing is when an attacker deceives a legitimate user into revealing login credentials or other information that facilitates an exploit. It’s extremely common, because it requires almost zero technical ability and is virtually costless via email or social media communication. Consequently, there are always rivers of phishing attempts flowing against the walls of any organization with data to steal. Sophisticated phishing includes spoofed email apparently sent from trusted accounts, in effect impersonating trusted co-workers or partners. 

To avoid and limit the damage from phishing exploits, MSPs and partners can deploy email filters and anti-spoofing technology to prevent the phishing emails from ever landing in inboxes. They can also conduct employee training for recognizing phishing attempts, implement multi-factor authentication, and opt for alternative login credentials such as biometrics,  physical smart cards, or USB drives. Finally, since phishing exploits often depend on the user privileges assigned to the stolen credentials, it’s best to limit all user privileges to only what a given role requires. 

The biggest vulnerabilities are in software misconfiguration 

Because SaaS applications are almost universally user-configurable, the biggest vulnerabilities are in software misconfiguration. Any SaaS application, no matter how reliable and secure it may be when configured correctly, can become highly vulnerable with incorrectly configured settings. Furthermore, configuration and permission settings are usually more complex than users may realize, and can result in surprising and alarming levels of vulnerability. 

A case in point: a misconfiguration of  Microsoft Power Apps, a popular low-code platform for app development, left open and vulnerable the personal data of 38 million end-use customers in August of 2021. The missteps were made by a total 47 entities, companies, and governmental bodies in the United States, including American Airlines, car Ford, J.B. Hunt,  and New York City Schools.

SaaS app misconfigurations resulting in potentially disastrous data leaks are an ongoing concern, since every app requires configurations that are designed to allow the right users to access information, while keeping it hidden from others. Fortunately, the solution is straightforward, if sometimes complex – make sure all settings, with particular attention to security and access settings, are configured correctly. Since low-code apps are designed and sold for low-code use, it’s never a bad idea to hire an expert consultant to audit security settings after an installation, major upgrade, or migration. 

3rd-party apps and plugins 

Low-code apps allow users to modify software for specific, efficient use and higher productivity. That’s the whole point. But embedded in this strength are potential vulnerabilities which must be guarded against. Misconfiguration is only one of those potential vulnerabilities. Another is 3rd-party plugins and apps designed to work with no-code or low-code SaaS apps. 

3rd-Party apps and plugins should be published by reliable developers, also configured correctly, and used only with oversight from an IT department. It’s crucial to manage which apps and plugins are in use, keep an inventory of them, and use a whitelist of approved apps. You want to be sure that a user doesn’t download their own version of an app, or use an app or plugin that isn’t approved. 

Buttoned-up access control 

Access control management fundamentals include giving access to data, on a highly granular basis, only to those users who need it, and for as long as they need it. It’s important to have built-in to your management processes periodic reviews of who has access to what, and removing access for employees that have departed the company or who no longer have a need. 

Multi factor authentication 

Especially for sensitive data, multi factor authentication (MFA) is a key safeguard. Also called two-step verification, it creates a significant extra level of security as it requires sign-ins to include not only a username and password, but also another authentication step which can include another item of knowledge, proof of access to a physical device (smartphone or USB key), or biometric data (fingerprint or eye scan or face recognition). 

Logging as a crucial defense 

The behavior of bad actors inside a system differs, often dramatically, from the behavior of legitimate users, and so logging is a crucial defense. ​​Capturing logs is among the most fundamental cybersecurity processes. Logged activity can provide the information required to track down or prevent a cybersecurity breach.  That’s why logging, together with machine or human analysis of logged data, is critical for security. 

Organizations looking for unified security logging in cloud SaaS environments may need to turn to specialized 3rd-party solutions, since native logging in SaaS can prove less than adequate due to multiple dashboards,  log files, users, mobile devices, remote machines, and level of subscription. 

Cyber loss insurance

Just as no driver, no matter how careful, and no matter how safely designed the car, can be 100% sure no accidents will occur, and just as no homeowner or business can be 100% sure a fire won’t occur, no MSP or other business can guard with 100% certainty against a successful cyber attack. 

Implementing the defenses sketched in this article not only hardens your defenses and makes your data and business safer, it also puts you in a position to purchase cyber loss insurance. 

Data loss and data breaches are at least on a par with risk of fire and theft, for which responsible leaders purchase insurance against loss. Cyber loss provides an additional level of security for your business – even in the event that a cyber loss occurs. 

About the Author:

Doug Kreitzberg– Founder & CEO of SeedPod Cyber

As CEO of USI Affinity and Programs (2004-2018), Doug led affinity business development, marketing and program businesses, including professional liability, commercial property & casualty, personal lines and life and disability Programs. In 2018, Doug founded a cybersecurity and data privacy risk consulting firm. It was through his consulting practice that he learned the value that Managed Service Providers bring to small and medium sized businesses. That insight formed the basis for SeedPod Cyber, a cyber insurance managing general agency Kreitzberg founded in 2021 which partners with Managed Service Providers to provide cyber insurance to their clients.