Industry Insights with Glenn Chisholm

Cybercrime , Data Loss Prevention (DLP) , Electronic Healthcare Records

Abusing HR Self-Service for Crime and Profit

How Financially Motivated Attackers are Exploiting the HCM Self-Service Model
Abusing HR Self-Service for Crime and Profit

Identifying an Active Exploit

See Also: How to Take the Complexity Out of Cybersecurity

As a leading provider of threat and posture management for SaaS, Obsidian Security protects companies from account compromise, insider threats, misconfigurations, and over-privileged users. We regularly aggregate information from our platform for the benefit of our customers.

Over the last few months, Obsidian has seen an increase in the number of attacks against Workday which are likely being used against other human capital management (HCM) systems as well. These aren’t major newsworthy breaches, but rather unsophisticated, low-effort attacks built for maximum return and reproducibility on minimum effort. They’re highly successful and rely upon the unique interplay of access, security, and risk in HR tools.

SaaS HCM systems have made it easier for companies and employees to access and manage HR data, including a wealth of personal identifiable information (PII) which can be instantly and easily modified. Address changes, leave requests, tax documents, benefits—all these can be reviewed and updated by employees. Unfortunately, as is the case with most systems containing sensitive data, there are those who look to exploit modern conveniences for personal gain.

Understanding the motivations of the attackers and their targets allows companies to build proactive HCM security strategies, layered defenses, and comprehensive response plans.

Abuse of HCM Platforms

Security teams defend in layers out of necessity. They understand where the most significant amount of confidential and sensitive information is stored, who has the most access to that information, and then protect from there outwards. This methodology allows for risk reduction and optimal allocation of scarce resources to ensure employees and customers are protected.

The HCM self-service model presents a unique challenge—a single employee only has access to their own data. This makes a potential breach low risk and impact. A financially motivated attacker can exploit this vulnerability.

  • Individual accounts are low-risk and not closely monitored as they contain only a single user’s data.
  • HR self-service actions by employees are infrequent. As such, detections are more complex and require nuance as patterns and behaviors are stochastic.
  • In any large organization, while changes by individual employees are infrequent, the collective action of changing bank accounts, updating addresses, and adding dependents is common. This means individual changes are hard to track and are expected.

In these HCM account compromise campaigns, Obsidian sees primarily phishing attacks against employees to steal session tokens or credentials. Once they gain access, attackers typically undertake multiple financially-motivated attacks:

  • Change bank details and divert paychecks to accounts they control
  • Steal a W2 in order to file fraudulent tax returns
  • Identity theft and the sale of PII

These individual activities can quickly add up to a significant sum. Just ten accounts with an average paycheck of $2,500 per period becomes $25,000 every two weeks and $600,000 annually. This attack is easy to reuse and rarely detected before the money is deposited.

Security teams are oftentimes blind when protecting HCM systems with no insight or control due to privacy concerns around PII. They’re forced to request information from the application administrators—typically finance or HR teams—as necessary. Even security teams with access struggle with HCM interfaces designed primarily for users’ productivity purposes. This fundamental disconnect leaves you susceptible to breach, opening your employees and company to substantial loss.

Steps to Protect HCM Platforms

With a clear understanding of the tactics and motivations of attackers, your security team can take a number of steps toward enhanced HCM security.

  • Continuously analyze user behavior and client details against a baseline to detect malicious activity consistent with account compromise
  • Monitor third-party integrations into HCM platforms to prevent lateral movement through connected applications
  • Optimize application configurations while detailing how changes will impact your users and preventing drift
  • Reduce instances of over-privilege within HCM platforms in order to reduce the blast radius of a potential breach

As a comprehensive security and compliance offering for Workday and other business-critical SaaS applications, Obsidian makes it easy to achieve these measures and protect your sensitive data. We’re able to detect account compromise in its earliest stages using a combination of static rules and machine learning models. Our deep understanding of Workday can also help close gaps in your perimeter that attackers leverage to gain access.



About the Author

Glenn Chisholm

Glenn Chisholm

Co-founder, Chairman and Chief Product Officer, Obsidian Security

Glenn Chisholm is the co-founder, Chairman and CPO at Obsidian Security. Prior to Obsidian he was the CTO at Cylance and directed the strategic product direction for the company, while leading the research and dev teams. Before Cylance, he was CISO and Director Security Operations for Telstra, the leading telecommunications provider in Australia and Asia. He led security of the $50 billion org and its managed services and consumer customers across the Asia-Pacific region.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.