Toxic Combinations in Identity Security: An Oleria Perspective

At Oleria, our unique visibility across identity and access has brought our attention to an urgent issue in identity security: toxic combinations. These situations involve individual vulnerabilities that may appear minor on their own — and thus can be easily overlooked or de-prioritized. However, these individual issues present insidious vulnerabilities that, when combined, create a significant security risk. The prevalence of these toxic combinations is on the rise in today’s complex cloud, SaaS, and AI environments, making immediate attention and action necessary.

Understanding toxic combinations in identity security

Toxic combinations exponentially amplify identity-related risks, making the whole more dangerous than the sum of its parts. They also undermine the principle of least privilege, a cornerstone of adequate identity security. Moreover, because the individual elements of toxic combinations do not, on their own, present glaring high-risk vulnerabilities, they often go undetected by traditional identity and access management (IAM) assessments. This can lead to unauthorized access, data breaches, and system compromises.

Recent breaches stemming from toxic combinations and best practices from an identity security perspective

The following real-world examples underscore the importance of a comprehensive approach to identity security. It's not just about addressing individual vulnerabilities but also understanding how they might interact to produce more severe threats. This holistic strategy is crucial in mitigating the risk of toxic combinations and ensuring a robust identity security system. 

Real Estate Wealth Network Breach (2023): A cybersecurity researcher uncovered a serious vulnerability in an unprotected database containing 1.5 billion real estate ownership records. This database, lacking passwords and access controls, posed significant risks due to sensitive information like names, addresses, financial details, and celebrity property records. With 1.16 TB of data exposed, the breach presented a high potential for identity theft, financial fraud, and targeted attacks on property owners. The Real Estate Wealth Network faced significant reputational damage and possible legal action for failing to secure such sensitive information.

Recommendations:

• Implement robust Identity and Access Management (IAM) controls for all databases, especially those containing sensitive data.
• Enforce strict authentication mechanisms, including password policies and access control lists (ACLs).
• Deploy activity monitoring to track and audit all access attempts.
• Continuous risk assessments focused explicitly on configurations and access patterns.

MGM Resorts International Breach (2023): This breach highlights the dangers of social engineering combined with identity security vulnerabilities. Attackers researched staff on LinkedIn and used a vishing attack to trick an employee into revealing their credentials. Weak multi-factor authentication and excessive account privileges allowed further access to critical systems. The attack disrupted MGM Resorts' operations for nearly a week, affecting slot machines, restaurant services, and room key cards, resulting in around $100 million in financial losses. It also damaged MGM's reputation and eroded customer trust.‍

Recommendations:

• Implement strong MFA protocols that are resistant to social engineering attempts.
• Enhanced identity verification protocols for help desk and IT support interactions.
• Security awareness training focused on social engineering and vishing attacks.
• Regular audit of privileged accounts and their access patterns.

23andMe Breach (2023): Attackers exploited a credential stuffing vulnerability by using stolen username and password pairs to access 23andMe accounts. Weak, reused passwords and the lack of mandatory multi-factor authentication (MFA) facilitated this breach. The interconnected data-sharing system allowed attackers to access a broader data set through a few compromised accounts. As a result, the breach compromised  7 million user accounts, exposing ancestry and health-related information and raising serious privacy concerns. 23andMe now faces multiple class-action lawsuits for negligence and privacy violations, which could lead to significant financial losses and reputational harm.

‍Recommendations:

• Enforce mandatory strong MFA for all user accounts.
• Deploy credential breach monitoring and forced password resets.
• Rate limiting and anomaly detection for login attempts.
• Review and restrict data-sharing permissions between.
• Regular password policy updates and enforcement of password complexity requirements.

Okta breach (2022): The 2022 Okta breach highlights how toxic combinations of security flaws can compromise even strong systems for a significant identity and access management provider. It showed that implementing IAM technology does not guarantee security. Attackers exploited excessive privileges, inadequate segmentation between customer environments, and poor monitoring. The breach began with a compromise of a third-party system (Sitel), allowing unauthorized access to Okta’s networks. The attackers moved from a support engineer's compromised workstation to customer support tools and potentially into customer environments, indicating a troubling pattern of network traversal. The breach remained undetected for several days, underscoring the difficulties of identifying cross-platform attacks. It harmed Okta's reputation and emphasized the risks of third-party access and the need for robust security measures. This incident serves as a wake-up call for the industry, highlighting the importance of continuous monitoring and proactive threat detection.

‍Recommendations:

• Implement strict third-party access controls with time-bound permissions
• Real-time monitoring and alerting for suspicious access patterns
• Regular review and rotation of support personnel access credentials
• Continuous policy monitoring for identity security controls
• Enhanced incident response procedures with a focus on identity-related threats

How Oleria addresses toxic combinations

At Oleria, we've developed solutions specifically designed to identify and address toxic combinations in identity security:

1. Unified identity and access management: Our Trustfusion platform harmonizes disparate identity data sources, providing a unified permissions posture.
2. Comprehensive identity visibility: That unified permissions posture enables Oleria to provide uniquely fine-grained visibility into access patterns and identity usage across all resources.
3. Identity risk monitoring: Broad and deep visibility allows Oleria to continuously monitor identity-related risks, enabling organizations to make data-driven decisions about access and permissions.
4. Automated removal of outdated access: Oleria turns insights into action, automatically identifying and removing dormant accounts and permissions to reduce the risk of toxic combinations.

Now is the time to get a handle on toxic combinations

Toxic combinations represent a significant challenge in modern identity security — an insidious risk that keeps expanding as organizations continue to adopt cloud and SaaS solutions and their IT estates grow more complex. Perhaps most concerning, these toxic combinations are difficult to recognize through conventional identity security tools and approaches, meaning they frequently go undetected until they’ve metastasized into serious incidents.Oleria's identity security solutions give organizations modern tools that provide complete clarity and control of identity and access. This empowers organizations to follow the best practices above to protect themselves against toxic combinations that allow attackers to exploit identity vulnerabilities across different platforms and services. By learning from past incidents and implementing comprehensive identity security measures, organizations can significantly reduce their risk profile and enhance their overall security posture in the face of evolving identity-based threats.