Securing the Salesforce.com Admins

Top threats facing the administrators of the worlds’ largest sales and marketing cloud

 
 

Think about it…Salesforce.com admins have access to some of the company’s most precious data—customer records, product roadmaps, pricing details, and much, much more. It makes sense they would be a primary target for an attacker looking to acquire sensitive business information located inside the many Salesforce.com clouds. The users of the data, they’re targets too.

There are many ways for malicious users to gain access to the data. Below represents just a few of the top threats facing Salesforce.com environments:

  • Social Engineering: Attackers could easily mine public data—such as information found on LinkedIn—to identify and then establish a rapport with a Salesforce.com developer or administrator. They could use the information and social connection to phish a team or spearphish a specific team member.
  • Password Harvesting: Another method an attacker could use is one of password guessing or password harvesting. “Attackers can easily get half of the admin’s credentials to Salesforce.com by looking at the admin’s LinkedIn profile to sniff out their email address,” said Kyle Watson, Senior Trust Instructional Architect at Salesforce.com during his presentation at Dreamforce 2015. “All that’s left to figure out is the other half of the credentials…the password.” This can be easily done using guessing techniques, harvesting techniques, and even brute force techniques.
  • Infected Media Devices: Another easy way for attackers to gain access to systems and credentials is to install malware on a small removable thumb drive and hand it out at a conference. Once the thumb drive is used, a keystroke logger could be launched, monitoring the admin’s every pressed key—such as their Salesforce.com login. “Would you accept and use a thumb drive from a vendor at Dreamforce?” Watson asked his audience? The number of hands raised showed they would.
  • Advanced Attacks: When all else fails, attackers can take advantage of other successful breaches they’ve conducted within the company, perform some additional reconnaissance to laterally move around the network, and re-use credentials they’ve captured from other systems to easily login to Salesforce.com. This is harder than social engineering or logging a password away from an admin, but still worthwhile if they can get their hands on the company’s crown jewels.

While the threat of advanced attacks requires a security program beyond what is covered in this article, there are a number of protection measures for the rest of the list above that can be implemented by the IT security team and the Salesforce.com admins and users they support. The following advice was provided by Watson during his presentation at Dreamforce 2015.

  • Follow Best Practices: Use strong passwords, use a password safe to store credentials, leverage two-factor authentication, and put IP range restrictions in place to prevent logins from unauthorized locations. “Be sure to limit exposure of employee information on public sites such as LinkedIn,” Watson added.
  • Provide Security Training: All employees need to be trained to report on suspicious activity witnessed in their Salesforce.com accounts—unrecognized changes to records, access to reports, and deletion of data could all point to an unauthorized user taking advantage of someone’s account credentials.
  • Phish Your Employees: One of the best ways to get employees and admins aware of the risk of being phished is to actually put a phishing campaign in front of them to see what they do. “Make your phishing campaigns specific to your company,” said Watson. “Get employee pictures and make the emails look the same as they would normally receive,” he suggested.
  • Don’t Be A Hero: Leave the investigation and incident response to the security and legal teams. An employee or admin that thinks they’ve caught a phisher red-handed and decides to respond to the ‘obvious’ phishing campaign could, in fact, become a victim of that. There could be are legal ramifications as well; unofficial investigations could damage the evidence or even tie the person to the event, potentially flagging them as an insider involved in the theft. “Being a hero could lead you to being the victim—don’t be hero,” said Watson.

Understanding the threats and following these few simple pieces of advice should reduce the risk faced by most Salesforce.com environments, their admins, and their users.