‘Twas the night before Christmas, and all through the business, no security professionals were sleeping. Not even the CISO…
The holidays are a happy season for many. For cybersecurity professionals, they have become times of anxiety. Not because of the holidays themselves, but because cyber criminals have learned that launching their attacks while security teams are away on vacation is profitable.
Whether you are a small business or a large company with robust cybersecurity controls, you are in danger because the large, critical vendors that handle your data are likely to come under attack at this time. The United States Cyber Infrastructure and Security Agency (CISA) even recommends increased threat monitoring over holiday weekends !
Once we get back after the new year, it’s only a matter of time before vendors start releasing blog posts and updates disclosing breaches they discovered over the break. CI/CD vendor CircleCI was one of the most serious breaches of 2022’s holiday season. 
Here’s what happened in the CircleCI Breach: 
According to CircleCI , an attacker compromised an employee’s machine in mid December – though the specific method used to compromise the machine was not shared. The attacker deployed malware to steal a session cookie from the employee’s laptop, bypassing the need to steal their password and defeating multi-factor authentication.
To CircleCI’s credit, they took immediate action by alerting affected customers, conducting an internal investigation, and implementing remediation measures to prevent a recurrence of such an incident. If you are using CircleCI you should have rotated any and all secrets stored in CircleCI, and reviewed internal logs for your systems for any unauthorized access starting from December 21, 2022 through January 4, 2023. If you haven’t, you need to do so ASAP!
This was an urgent action item because of the importance CircleCI has in many development pipelines.
What does CircleCI do? 
But first, let’s quickly review the service CircleCI provides for those who are not involved in software development. Its unique role is tied to some of the more unpleasant surprises of the breach.a lot  of companies.  Every cybersecurity incident presents a learning opportunity.  There are several lessons we can and should take away from CircleCI’s breach, that will better protect you from suffering in the event you or one of your critical vendors is hacked. 
4 Lessons to Learn from the CircleCI Breach 
There are four key lessons to be learned from the 2022 CircleCI Breach: 
Beware of hidden vendors. 
MFA and SSO aren’t infallible.  
The holidays are a bad time for cybersecurity.  
How a vendor responds to a breach matters.  
 
1. Beware of hidden vendors 
At Fractional CISO we have a daily process that involves monitoring and analysis of global security events so that we can quickly inform our clients should any be affected or at-risk.
2. MFA and SSO aren’t infallible 
Multi-Factor Authentication (MFA) and Single Sign-on (SSO) are some of the strongest and most widely used authentication security controls available. While these are often seen as foolproof security measures, all of the data that was exfiltrated during the CircleCI breach was supposed to be protected by both MFA and SSO.
This is why simply implementing security controls is not sufficient for protecting yourself from the sophisticated threats that we are seeing today. It’s also vital to ensure that the people using or interacting with the controls are aware of them and trained appropriately.
3. The holidays are a bad time for cybersecurity. 
It seems like we can’t have a holiday without a half dozen major breaches occurring. 
The timing of the CircleCI breach serves as a reminder that cyber criminals love to strike during the holiday season. Most people will want to kick their feet up and toss security to the side when enjoying the holidays. However, companies need to remain vigilant and continue to monitor their environment more closely  during this time. 
4. How vendors react to cybersecurity incidents matters.  
CircleCI deserves credit for taking immediate action to investigate and remediate the breach, along with their prompt and thorough notifications – which were updated continuously as more information became available.breach notification page  with LastPass’s security breach notification . CircleCI was more forthright with the severity of the breach, gave frequent updates, and simple, easy-to-follow action steps. 
LastPass meanwhile buried the severity of their breach (in which all of their customer’s password vaults were stolen), and didn’t bother notifying anybody of this until Thursday, December 22.  This was the last business day  before most people left for their Christmas holiday weekend!LastPass , you were supposed to protect from attackers, not join them! 
A vendor’s response to an incident is an indicator to how seriously they take cybersecurity, and should be a crucial consideration when selecting a 3rd party vendor. are  advising our clients who use LastPass to drop it and select an alternative password management vendor. 
Conclusion on the CircleCI Breach 
The CircleCI breach serves as a strong reminder that businesses need to be aware of the risks their 3rd party vendors expose them to. A strong vendor management program is essential to managing this risk, and is required for SOC 2 and ISO 27001 compliance  to boot.
Every security breach has its own lessons to teach. Many of them are applicable to everybody. Failure to learn from them will leave you more likely to suffer the same sort of attack in the future. It is far better to learn from what happens to others, than to learn from experience yourself.
Want to get great cybersecurity content delivered to your inbox?  Click here  to sign up for our monthly newsletter, Tales from the Click.