Why “Putting All Your Eggs in One Basket” is Often Better Than Not Having a Basket at All
The Case of the Okta Breach
In the world of cybersecurity, the phrase “don’t put all your eggs in one basket” is often thrown around as a cautionary tale. The idea is to diversify your security measures to minimize the risk of a single point of failure. However, the recent Okta breach serves as a compelling counter-argument: sometimes, putting all your eggs in one basket is better than not having a basket at all.
The Okta Breach: What Happened?
According to Okta, the breach was in the customer support system. It did compromise customer login information but it was severely limited in scope. Sure, terrible but the sky didn’t fall. Okta reports that only 1% of their customers were affected. Not a great number but not devastating.
- Stolen Credentials: An attacker used stolen credentials to gain access to Okta’s support management system. The method of obtaining these credentials remains unclear, but it’s a known fact that credentials can be phished or compromised through infostealers.
- Digging for HAR Files: The attacker used this access to search for HTTP Archive (HAR) files, which are recordings of web browsing sessions. Okta customers provide these files to support engineers for troubleshooting.
- Session Cookies: The attacker extracted session cookies from the HAR files and used them to access applications configured with Okta’s Single Sign-On (SSO). Companies like BeyondTrust and Cloudflare were affected but took quick remedial action.
The Argument for a Single Basket
Clearly, losing the “master key” is going to be a problem. However, if you don’t use something to keep track of passwords, you will either use the same one everywhere or keep them all in a single place. Both of those solutions lead to higher risk and faster compromise. If you take the analogy of company keys, these would be like having the same key for everything or placing all your keys in a box. A password manager would at least be putting all your keys in a locked safe.
I’d agree it’s not the best and that using an encrypted excel file using AES algorithm could be about as secure as you can get but it’s not really that useable when working across devices. The ultimate solution is not using any system…ever.
What Centralized Password Managers Offer
Centralized Monitoring
When you centralize your security measures, as with Okta’s SSO, you can monitor activity more effectively. Both BeyondTrust and Cloudflare were able to detect the suspicious activity quickly because they had a single point to focus their monitoring efforts on.
Streamlined Remedial Action
In the event of a breach, time is of the essence. Having a centralized system allows for quicker and more coordinated remedial actions. In the Okta case, the affected companies were able to act swiftly because they only had to focus on a single point of failure.
Easier to Update and Maintain
A centralized system is easier to update and maintain. When a vulnerability is discovered, you only need to patch it in one place. This is far more efficient than having to update multiple systems, each with their own quirks and complexities.
Easier to Use
This is the big one for me and likely for 99% of people out there. Once you get used to using a password manager, they are fairly easy. I find them easier than remembering all those passwords! Plus, I know that each system password is unique and complex. 15+ characters of randomly generated text is fairly secure (until quantum computers) so I’m comfortable that one company breach won’t sink the ship.
Conclusion
The Okta breach is bad. Not only is it a leak of sensitive data but loss of faith in a technology that is important. The benefits of a centralized security system are still valid. By focusing on a single, robust solution and taking the necessary precautions, companies can actually benefit from “putting all their eggs in one basket.” After all, it’s often better to have a well-guarded basket than to have no basket at all.
Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.
- Drive-By URLs: What are they? - July 26, 2024
- Beware of Fake CrowdStrike Fixes: A New Malware and Wiper Threat - July 25, 2024
- Ransomware targets Small and Medium-Sized Businesses - July 25, 2024
