OAuth

Secure your business with CyberHoot Today!!!

OAuth, also known as Open Authorization, is an open standard authorization framework for token-based authorization on the internet. OAuth enables an end-user’s account information to be used by third-party services, such as Facebook and Google, without exposing the user’s account credentials to the third party. It acts as an intermediary on behalf of the end-user, providing the third-party service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called an authorization flow.

OAuth 1.0 was first released in 2007 as an authorization method for the Twitter Application Program Interface (API). In 2010, the IETF OAuth Working Group published the first draft of the OAuth 2.0 protocol. Like the original OAuth, OAuth 2.0 provides users with the ability to grant third-party application access to web resources without sharing a password. However, it is a completely new protocol and is not backward compatible with OAuth 1.0. Updated features include a new authorization code flow to accommodate mobile applications, simplified signatures, and short-lived tokens with long-lived authorizations. This provides end-users the ability to revoke tokens more easily when desired.

OAuth is often used to consolidate user credentials and streamline the login process for users so that when they access an online service, they don’t have to reenter information that other online accounts already possess.

OAuth is the underlying technology used for website authentication by sites that let users register or log in using their account with another website such as Facebook, Twitter, LinkedIn, Google, GitHub, or Bitbucket. For example, if a user clicks on the Facebook login option when logging into another website, Facebook authenticates them, and the original website logs them in using permission obtained from Facebook.

What does this mean for an SMB or MSP?

OAuth and permissions to third-party Software as a Service (SaaS) solutions are something that should be monitored by IT staff. The OAuth mechanism makes it easy to interconnect applications but many don’t consider what the possible ramifications may be. When these SaaS apps and other add-ons for SaaS platforms ask for permissions, they are usually granted without a second thought, presenting more opportunities for hackers to gain access to a company’s data. This puts companies at risk for supply chain attacksAPI takeovers, and unintentionally installed malicious third-party apps onto company devices.
 
Some security researchers are not fans of OAuth authentication mechanisms claiming they are rife with vulnerabilities that could be exploited by inexperienced programs that don’t secure their API correctly. This Portswigger.net article outlines many of the potential threats found in OAuth implementation.

CyberHoot Bottom line
: If you really want to implement OAuth in your SMB, stick to the mainstream vendor implementations from companies like okta, Azure AD, or RSA. Each has been around for many years, faced much scrutiny of its codebase, and is well funded to mitigate risks in its API. Also, make sure to pair any OAuth source authentication service with multi-factor authentication before granting tokens to 3rd parties. 
 
Finally, your company should really be doing all of the following cybersecurity program measures to ensure your security is buttoned up: 
 

Security Awareness Training – The first step in cybersecurity always comes back to raising employee awareness. Once the employees become more aware of the risks and dangers that these OAuth mechanisms present, they will be more hesitant to use them.

Enable Multi-Factor Authentication – The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication (MFA) for all possible accounts. This practice is especially true for your primary email and collaboration platforms because it reduces the harm an attacker can cause with stolen credentials.

Policies – Organizations should create a policy that enforces employees to submit requests for third-party apps. This can be implemented in your organization’s Acceptable Use Policy (AUP). 

Employ SaaS Security Monitoring – SaaS security monitoring is a crucial layer of security for your SaaS stack. It enables you to manage employee access to your required SaaS apps by department, consolidate licenses, and give you unprecedented visibility into your SaaS stack. Blissfully is one excellent example of a platform that can do all three and more; it’s a key SaaS security element when putting your IT stack together.

Manage SaaS Access & Passwords – Some SaaS applications cannot tie into SSO solutions as mentioned previously. For these situations, CyberHoot recommends using a Password Manager. Reputable Password Managers such as LastPass, 1Password, DashLane, or Bitwarden allow users to generate strong, unique 14+ character passwords, store credentials for websites and store encrypted Secure Notes. These tools are also valuable as they allow users to securely share credentials or notes with trusted employees or clients.

Practical advice and common sense apply here. Make sure your users know not to blindly accept all the access permissions requested by a SaaS application no differently than denying a phone app access to your contact list or denying access to your location data by default. If it doesn’t need the access to function fundamentally, your default position should always be to deny access.

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

To learn more about how OAuth works, watch this short 2-minute video:

CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like: 

Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.