itSMFI 2017 Forum Focus - June Forum Focus ITSMFI | Page 19

credit, OneLogin responded quickly, shutting down the
hackers’ access within hours and alerting its community
the same day.
One detail OneLogin has not shared yet is exactly how
the attackers gained access to its AWS keys, so at this
point, we can only speculate. We can say, however, that
if this attack is like 91 percent of cybersecurity intrusions,
the initial attack vector was a phishing email.
For instance, a hacker could have posed as a member of
phishing attacks while a company and its clients are
dealing with the aftermath of a hack. A classic
tactic is to send an email to customers that appears to
be a message from the CEO, warning people to change
their passwords because of the recent attack, but
which contains a password-reset link that leads to a
website controlled by the hacker. Perhaps that’s the
same hacker who invaded the company’s system
earlier this week, or it could be a new, unrelated actor
who is just taking advantage of the situation.
Unfortunately, until its DMARC authentication setup is
complete, there’s no reliable way for OneLogin
customers, partners or employees to be certain that
email coming from the company really does originate
with the company.
It’s notable that DocuSign, which also suffered a
devastating security breach recently, is in a similar
position.
It is also not protected by email authentication.
the OneLogin security team and sent an email to another
security team member that looked, for all intents and
purposes