Admins / Developers

Quick Check To Protect Yourself Against Vulnerabilities [White House Warning]

By Prashanth Samudrala

In March 2022, The White House issued a statement relating to the war in Ukraine. The focus was around the potential for Russia to increase cyberattack threats.

A series of recommendations were included to help companies fortify themselves against cyberattacks and reinforce their data security strategies.

Many of these guidelines speak directly to potential issues within Salesforce DevOps, such as:

“Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors.”

Let’s look into how this relates to your Salesforce DevOps environment and what you can do about it. The first step is to understand the potential vulnerabilities because you can’t guard against something you aren’t aware of.

How This Relates to Challenges Within Salesforce

Organizations often struggle with managing their number of profiles and roles. Profile gaps can be confusing and challenging to debug. The complex mix of sharing architecture in Salesforce leads to users adopting practices that create security risks which can be exploited by both insider and outsider threats.

Shortcuts are often used to overcome complexity which leads to increased risk. One example of this is when users are given the Modify All role when all they need is Read Access or to edit one field.

Password exposure and malware risk are a constant concern for every environment, including Salesforce.

While we’re familiar with malware and ransomware coming through a browser, it can actually be distributed in multiple ways such as documents that have been uploaded as attachments. This puts everyone who opens that file at risk.

Stolen passwords continue to be a threat, especially if you don’t have good endpoint protection.

You are responsible for your security in the Salesforce environment. Salesforce does a lot to protect the platform, but you’re responsible for your own security within your particular org or instance.

Vulnerabilities in the Salesforce Sharing and Security Architecture

The sharing architecture within Salesforce is very complex. Org-wide defaults are currently transitioning away from profiles toward permission sets. So, when should you be applying more precision versus wider sharing?

Viewing this in totality can be confusing. Users often create profiles—which don’t encompass all types of named credentials, password policies, certificates, and keys—to cover various aspects of permissions.

Here are some questions you should ask yourself to assess your vulnerabilities:

  • What are your org’s sharing settings for commonly used objects?
  • Do you have more profiles than users?
  • Do you use Guest Sharing Rules?
  • When was the last time you audited the connected apps and auth providers?
  • When was the last time you ran a Health Check?

These scenarios are unfortunately common and should be examined for vulnerabilities. Something as simple as offering guest sharing capabilities introduces the possibility of information being exfiltrated through guest users. And as we’ve seen with the recent Heroku breach, auth providers have the potential to create backdoors for cybercriminals.

READ MORE: Salesforce Security Health Check: How to Find Vulnerabilities

Profile Deployment and the Risks Associated

Profiles are a complex matrix of permissions. Multiple profile metadata types are confusing and often misunderstood because they frequently overlap.

For example, a profile that is deployed from one sandbox to another will be cloned off the standard profile by default. This introduces differences between the two sandboxes unless you have the right tools in place to check the settings and enforce those changes from one sandbox to another. If not, this will also grant all sorts of unintended permissions which will be exposed in the process.

Salesforce recognizes that this is challenging. The roll out of Permission Set Groups started in 2019, which is a way of creating organizational roles. It’s highly recommended to transition away from profiles to role-based Permission Set Groups. It will give you better integrity across your sharing architecture and your permissions policies.

READ MORE: Clean Up Profiles and Permission Sets in Salesforce

Embrace Multi-Factor Authentication

Salesforce adopted multi-factor authentication on February 1st of this year, but not for all products. In fact, many products won’t support MFA until 2023. As of right now, it only applies to the core Salesforce platform and not the other Salesforce cloud products.

Familiarize yourself with the MFA roadmap so you understand which aspects of Salesforce are covered and which are not.

ProductProjected MFA Auto-Enablement DateProjected MFA Enforcement DateNotification and Details
Products built on the Salesforce PlatformBetween January and June 2023September 2023Email Notification
B2C Commerce CloudBoth will occur at the same time between May 1-31, 2022 (In the Spring Maintenance release)Email Notification
Release Note
Click Software - Field Service Edge (FSE)No auto-enablement plannedJune 2022 (In the MR12 Spring Maintenance release)Email Notification
Click Software - Service Optimization V8 CloudNo auto-enablement plannedJune 2022Email Notification
HerokuBoth will occur at the same time on June 1, 2022Email Notification
Marketing Cloud -DatoramaBoth will occur at the same time between September and November 2022Email Notification
Marketing Cloud - Email Studio, Mobile Studio, and Journey BuilderOctober 2021 (in the October 2021 release)June 1-17, 2022 (in the Summer 2022 release)Email Notification
Release Note
Marketing Cloud - SocialPrivileged Users: Between May 9-13, 2022
All Users: Between June and August 2022
All Users: November 30, 2022Email Notification
Release Note
Mulesoft Anypoint PlatformNew Users: July 23, 2022
All Users: October 29, 2022
Second half of 2023Email Notification
Article
Quip ProductsFebruary 1, 2022May 1, 2022Email Notification
Tableau OnlineBoth will occur at the same time.
Privileged Users: June 21, 2022
All Users: Between July and September 2022
Email Notification

Strong Passwords

In the meantime, continue to emphasize the importance of strong passwords. Encourage your users and team members to adhere to the Department of Defense recommendation of a minimum of 15 characters for each password.

Update Permissions, Avoid Technical Debt

It’s very easy to create technical debt when it comes to profiles and permissions. Audit your current settings to ensure user permissions are up to date. Salesforce’s Health Check tool can be used to identify gaps.

Be Aware of Phishing Attempts

Many environments are targeted not only daily, but hourly. Bad actors are always looking to gain access to your Salesforce environment through malware—potentially infecting an endpoint—or ransomware.

Summary

Protecting yourself against the potential vulnerabilities outlined by the White House necessitates constant attention and an honest look at your current processes. Cybercriminals are constantly growing more sophisticated. Our defenses against them need to evolve as well.

READ MORE: 4 Ways to Ensure Salesforce Security as you Scale

The Author

Prashanth Samudrala

Prashanth is a former Salesforce Developer and architect now leading, Product management for AutoRABIT's DevSecOps Products.

Leave a Reply