Brett Winterford

Catch-All's and Canary Rules

Okta Identity Engine offers admins the ability to vary authentication flows to applications based on everything from group membership, device management, device posture, network zones, risk evaluation, user behaviour and more. Generally speaking, the more context evaluated at the point of access, the better the security outcome. That’s what this whole zero trust journey is about: all the stars should align before a legitimate user can access a sensitive resource. The flip-side of this is that...


User Sign-in and Recovery Events in the Okta System Log

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.  We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library. The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security will be following up this article with a post on events...


Okta Code Repositories

SUMMARY: In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers. SCOPE: The security event detailed below pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products. EVENT: In early December 2022, GitHub...

Brett Winterford and Defensive Cyber Operations

Detecting Real-Time Phishing Attacks

In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns? Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers...


Okta’s Response to OpenSSL Security Update

The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6). The two CVE’s are listed below: CVE-2022-3602 CVE-2022-3786 Response Okta’s engineering teams have applied patches and other mitigations, where required. Customer Guidance For both CVEs, the severity level has been listed as “high” and the following information has been made available: OpenSSL versions 3.0.0 to...

Chris Niggel and Brett Winterford

Monitoring for Abuse of Administrative Privileges

All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program. A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably...

David Bradbury

System Log: a Window into Supporting the Okta Cloud

Transparency is a core value at Okta. In April 2022, Okta committed to a range of initiatives that aim to drive greater transparency in how we respond to security incidents. One of those commitments was to provide our customers with insights into all the things our customer support teams do behind the scenes to deliver the unrivaled experience that is the Okta Identity Cloud. Under 2.6 in our Security Action Plan: “Okta will enhance the Okta System Log so that every customer support...

Brett Winterford

The Human Factor in Phishing Resistance

In the wake of recent security events at Uber and Twilio, organizations are understandably interested in pivoting to authenticators that offer the most resistance to phishing attacks. In this second part of our series on phishing resistance, we consider the human element. All organizations should aspire to a state in which technical and operational controls reduce the burden on end users to identify and respond appropriately to social engineering. Large numbers of Okta customers are pivoting...


Auth0 Code Repository Archives From 2020 and Earlier

Notification of Auth0 Code Repository Archives Security Event: No Customer Action Required, Auth0 Fully Operational. In alignment with our core value of transparency, we are communicating about a recent security event related to certain Auth0 archival code repositories; there is no impact to customer data. This does not impact any other Okta products.

Page 1 of 8