With so many SaaS applications, many configuration options, API capabilities, endless integrations and connections between applications, the SaaS risk possibilities are endless. Critical organizational assets and data are at risk from attackers, data breaches and insider threats, creating a host of challenges for security teams.
Misconfigurations are silent killers that lead to serious vulnerabilities.
So how can CISOs reduce the noise? Which misconfiguration should security teams focus on first? Here are five major SaaS configuration mistakes that can lead to a security breach.
#1 Misconfiguration: Support administrators have excessive privileges
- risk: Support teams have access to sensitive account management functions, making them prime targets for attackers. Attackers can take advantage of this by convincing support staff to reset MFA for privileged users, gaining unauthorized access to mission-critical systems.
- Impact: Compromised help desk accounts can lead to unauthorized changes to administrator-level functions, allowing attackers to gain access to critical data and business systems.
- action: Limit helpdesk privileges to basic user management tasks and limit setting changes to the administrator level.
Use Case: MGM Resort Cyber Attack -> In September 2023, MGM Resorts International was the target of a sophisticated cyber attack. The attackers, believed to be part of a cybercriminal gang known as Scattered Spider (also called Roasted 0ktapus or UNC3944), used social engineering tactics to penetrate MGM’s defenses.
#2 Misconfiguration: MFA is not enabled for all Super Administrators
- risk: Super administrator accounts without MFA are an important target for attackers because of their elevated access rights. If MFA is not enforced, attackers can easily use weak or stolen credentials to compromise these critical accounts.
- Impact: A successful compromise of a super administrator account can result in an attacker gaining complete control over an organization’s entire SaaS environment, leading to potential data breaches and business and reputational damage.
- action: Enable MFA for all active Super Administrators to add an extra layer of security and protect these high-privilege accounts.
#3 Misconfiguration: Legacy authentication is not blocked by Conditional Access
- risk: Legacy protocols such as POP, IMAP, and SMTP are still commonly used in Microsoft 365 environments, but they do not support MFA. These outdated protocols create significant vulnerabilities, and without conditional access, attackers can bypass security measures and infiltrate sensitive systems.
- Impact: These outdated protocols make accounts more vulnerable to credential-based attacks, such as brute-force attacks or phishing, making it easier for attackers to gain access.
- Action: Enable Conditional Access to block legacy authentication and apply modern, more secure authentication methods.
#4 Misconfiguration: The number of super admins is not within the recommended limits
- risk: Super admins manage important system settings and basically have unlimited access to different workspaces. Too many or too few super-administrators increase the risk of excessive exposure to sensitive controls or the operational risk of losing access to and blocking critical business systems.
- Impact: Unrestricted access to critical system settings can lead to catastrophic changes or loss of control over security configurations, resulting in a security breach.
- action: Maintain a balance of 2-4 super admins (excluding “broken glass” accounts) for security and continuity, according to SCuBA CISA Guidelines.
#5 Incorrect configuration: Google Groups (Join / View / Post) View settings
- risk: Improperly configured Google Group settings can expose sensitive data shared through Google Workspace to unauthorized users. This exposure increases insider risk, where a legitimate user can intentionally or unintentionally leak or misuse data.
- Impact: Confidential information, such as legal documents, can be accessed by anyone within the organization or by outside parties, increasing the risk of insider abuse or data leakage.
- action: ensure that only authorized users can view and access group content to prevent accidental exposure and reduce the risk of insider activity.
Promptly identifying and correcting SaaS misconfigurations saves organizations from catastrophic events that affect business continuity and reputation, but it is not a one-time project. Identifying and correcting these SaaS misconfigurations must be continuous due to the ever-changing nature of SaaS applications. Such are SaaS security platforms Wing Securityquickly identify, prioritize and continuously help you eliminate potential risks.
Based on CISA’s SCuBA platform, the Wing Configuration Center cuts through the noise and highlights the most critical misconfigurations, offering clear and actionable steps to resolve them. Real-time monitoring, compliance tracking, and an audit trail ensure that an organization’s SaaS environment remains secure and compliance-ready.
By centralizing the management of your SaaS configurations, Wing Security helps prevent the serious security lapses that critical misconfigurations can lead to. Get a SaaS Security Risk Assessment today about your organization’s SaaS environment to take control of your misconfigurations before they lead to critical data breaches.
