Non-human access has emerged as a significant vulnerability in cyber attacks, particularly in relation to API keys and tokens. These access credentials lack essential security measures, making them susceptible to exploitation. This type of access can be categorized as external or internal, depending on how it is established. Recent high-profile attacks on companies like Okta [3], GitHub [1] [3], Microsoft [1] [3], Slack [1] [2] [3] [4], and CircleCI have highlighted the risks associated with non-human access, resulting in data breaches and supply chain attacks [2] [4]. Furthermore, the adoption of GenAI tools and services has further exacerbated this issue [1] [2] [3] [4], as they introduce additional security threats to enterprises. To address these risks, it is crucial to implement proper security measures and policies to protect non-human identities and their access credentials.
Description
In 2023, non-human access has become a significant attack vector in cyber attacks [1] [2] [3] [4]. API keys and tokens [2] [4], which are non-user access credentials, are particularly vulnerable due to their lack of security measures [2] [4], such as multi-factor authentication [2], and their tendency to be over-permissive and never-revoked. This type of access can be classified into two categories – external and internal. External access occurs when employees connect third-party tools and services to core business environments [1] [3] [4], while internal access is established using internal access credentials or secrets [1] [3] [4]. Notably, high-profile attacks on companies like Okta [3], GitHub [1] [3], Microsoft [1] [3], Slack [1] [2] [3] [4], and CircleCI have demonstrated the exploitation of these non-human access credentials, resulting in data breaches and supply chain attacks [2] [4]. The adoption of GenAI tools and services has further exacerbated the issue of non-human access [2] [3] [4]. The security risks associated with connecting unvetted GenAI apps to business systems have become a major concern [2], as Gartner has identified the use of generative AI and chat interfaces as expanding attack surfaces and security threats to enterprises [2]. To mitigate the risks of supply chain attacks, data breaches [1] [2] [3] [4], and compliance violations [1] [2] [3], it is crucial to implement proper security measures and policies to protect non-human identities and their access credentials.
Conclusion
The impact of non-human access on cybersecurity cannot be underestimated. The exploitation of API keys and tokens has led to significant data breaches and supply chain attacks, affecting companies across various industries. Additionally, the adoption of GenAI tools and services has introduced new security threats to enterprises. To address these risks, organizations must prioritize the implementation of robust security measures and policies to safeguard non-human identities and their access credentials. Failure to do so can result in severe consequences, including compliance violations and reputational damage. As technology continues to evolve, it is essential to stay vigilant and adapt security practices to mitigate future threats posed by non-human access.
References
[1] https://thehackernews.com/2023/12/non-human-access-is-path-of-least.html
[2] https://www.ihash.eu/2023/12/non-human-access-is-the-path-of-least-resistance-a-2023-recap/
[3] https://owasp.or.id/2023/12/12/non-human-access-is-the-path-of-least-resistance-a-2023-recap/
[4] https://flyytech.com/2023/12/12/non-human-access-is-the-path-of-least-resistance-a-2023-recap/
