Description

Sisense is a company that provides business intelligence (BI) software and analytics solutions, serving over 2,000 global companies across various industry verticals, enabling them to merge, manage, and analyze large volumes of data. On April 10, Sisense notified its customers of a potential security incident, reporting that “certain Sisense company information on a restricted server may have been compromised.” Following this, on April 11, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory urging Sisense customers to reset their credentials and report any suspicious activity. Security analyst Brian Krebs reported that the breach may have originated when attackers accessed Sisense’s GitLab code repository, which subsequently allowed them to reach Sisense’s Amazon S3 buckets in the cloud. Through this access, the threat actors were able to copy and exfiltrate significant amounts of customer data, including millions of access tokens, email account passwords, and SSL certificates. GitLab is an open-source platform for collaborative software development that supports teams in writing, testing, and deploying code. It is believed that that the unknown attackers now have credentials used by Sisense customers to access their dashboards.

Actions Taken

A thorough investigation is ensuing. In the meantime, Sisense has sent specific directions to its customers to have everyone log out of the Sisense application and have all users reset their passwords and replace their shared secret. Users are also asked to change their AD/LDAP passwords and rotate their tokens. Due to the critical implications on so many companies due to the incident, CISA is taking an active role in collaborating with private industry partners to respond to this incident.

Prevention

CISA’s states that the Sisense incident illustrates how a single breach can expose a multitude of customers through a supply chain attack. The incident illustrates the importance of conducting your comprehensive due diligence on all your suppliers to and require insight into their cybersecurity practices and policies. Cybersecurity expectations should be clearly integrated into vendor contracts, especially for those with access to your network. These contracts should outline specific security requirements and responsibilities to ensure vendors adhere to stringent security protocols. Contracts should contain a termination clause if the supplier fails to meet the agreed-upon security standards.

The incident also underscores the importance of robust cloud security measures. For those utilizing S3 storage for sensitive data, it is crucial to employ Identity and Access Management (IAM) policies to control access at the user, group, or role level, while adhering to the principle of least privilege (PoLP) for all permissions. Only allow public access to your S3 buckets unless absolutely necessary and use the AWS built in encryption to secure data if the bucket is accessed by unauthorized users. Be sure to either use AWS or third-party monitoring tools to audit your S3 buckets as well.

KEEPING YOU INFORMED – HALOCK SECURITY BRIEFING FOR CLIENTS

The HALOCK Security Briefing is a review of significant events, trends, and movements that will influence how you manage cybersecurity, risk, and compliance. Our clients receive periodic overviews with an extensive report file on the topics discussed. This insightful document also includes reference links throughout the report for easy navigation and deeper research. 

ESTIMATING RISK BY INDUSTRY

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.