Let us discuss this as simple as possible…
When you walk into your business in the morning what is the risk for you to be hacked?
There may be a small percentage if all of your devices are in good shape(all updated and no obsolete computer devices in your locations. Or you are thinking my systems are updated and we have all our data in the cloud. Is it safe to assume that you are risk free if in the cloud?
Then you see a new vulnerability like this: Storm 0501 evolving techniques lead to cloud based ransomware Where the cloud can get ransomware and what happens now?
Storm-501 is the group that can access the cloud and create havoc.
Here is the detail I like to see: “These efforts ultimately enabled Storm-0501 to identify a non-human synced identity with a Global Admin role in Microsoft Entra ID on that tenant, and lacking in multi-factor authentication (MFA) protections. This subsequently opened the door to a scenario where the attackers reset the user’s on-premises password, causing it to be synced to the cloud identity of that user using the Entra Connect Sync service.”
I wrote about this before in my blog (Oversitesentry.com Has cloud account been Hacked? Like Uber did?)written in October 2022.
Uber’s account was hacked at the point of the admin. The admin of the Cloud account was hacked and the hackers got access to the cloud from there. In the example above it is also due to the Global admin of Azure.
The administrators of cloud accounts have a really large target on them. They must be especially vigilant of phishing and other attacks. There really is no margin for error. So as a CISA certified auditor – I would spend a little time to make sure the admins are aware of this in the security policy.
Contact to discuss