Identity, Risk Assessments/Management, Training

How to secure third parties and spot fake job applicants: Okta’s verification tips

Futuristic technology using biometric authentication for digital identity verification in a conceptual illustration.

The identity management provider Okta has learned that the accounts of third-party contractors, temporary workers, vendors, and service providers need to be just as strongly protected as the accounts of regular employees.

Okta is a huge target due to its pre-eminence in the identity and access management field, and its systems have been exploited and abused to attack Okta's own customers. As a result, the company has developed several internal standards for securing what it calls the "extended workforce," standards that it shared in a recent blog post.

Like other companies, Okta verifies contractors, vendors and service providers before bringing them on board. Businesses must go through a process of due diligence that includes assessing their internal security standards and policies, following well-defined procedures for gauging third-party risk.

Less well defined are standard procedures for verifying remote individual employees, temporary workers or contractors, especially when job applicants aren't who they say they are. But Okta has developed internal standards for verifying individuals and has shared them as well.

"I recommend that every organization enforce the same strict controls across their entire workforce, both in-house and extended," writes Charlotte Wylie, SVP and Deputy Chief Security Officer at Okta and author of both blog posts.

"Every organization should also implement a third-party risk program to drive a comprehensive due diligence process when selecting and monitoring third-party service providers."

Defining the extended workforce

What is the "extended workforce"? According to Wylie, it's not just individual contractors and temporary workers directly hired on a limited-period basis. It's also people indirectly employed by other companies that work closely with your own organization and, due to their positions, have access to your systems, whether digital or physical.

This could include consultants, vendors, business partners and service providers, including employees of managed service providers, data-analytics firms or even companies hired to monitor social-media or chatroom posts.

"Threat actors may see this group ... as a comparative weakness in our overall attack surface," writes Wylie.  "Part of my job [at Okta] is making sure our adversaries are mistaken in this assumption by securing our extended workforce with the same safeguards that are in place for our own employees."

When an independent contractor signs up with Acme Software, for example, they may not receive Acme Software's employee benefits like health coverage or paid vacation time. But they're still part of Acme Software's extended workforce.

Their company account and their access to Acme Software's internal network should be just as locked down as a regular employee's. For many organizations, that should be obvious.

The need for protection may be less obvious when it comes to third-party service providers. A repair technician working for a company that services air-conditioning systems for Bullseye department stores in the mid-Atlantic states might not be viewed as a potential attack vector.

Nevertheless, that technician has physical access to Bullseye facilities, and logical access to Bullseye's corporate network through their laptop. The technician is thus part of Bullseye's extended workforce. To counter potential attacks, Bullseye should protect the technician's laptop and any account that accesses Bullseye's systems.

Securing the extended workforce

Okta has a few internal ground rules that can be applied to any organization.

1. The extended workforce needs to use hardened and managed devices.

If your company uses a third-party contractor, service provider, or vendor, then the personnel who access your systems need to use laptops or smartphones that your company, not the third party, manages.

You'll need to issue authorized and managed devices to at least some of the other company's employees. Make certain that those devices are the only ones that can access your systems, and that they're not used for anything else.

"Hardened" devices aren't strictly defined. But Wylie mentions mandatory VPN use, phishing-resistant authentication such as Yubikeys, and "device security posture assessments," which implies strict security management. It may also mean using hardened or secure enterprise browsers or dividing work and personal web usage between separate browsers.

Okta itself has been burned by attacks exploiting third-party access and lack of browser segregation. In 2022, its systems were breached through the account of "a third-party customer support engineer," as Okta CEO Todd McKinnon said.

In 2023, attackers got into Okta's client-support system by stealing credentials that had spilled over into an Okta employee's personal Google account, possibly after the employee signed into the Chrome browser on a workplace laptop.

 Issuing managed laptops to employees of third parties might create a headache for the other company. Nobody wants consultants walking around with three laptops for three different clients. Wylie does offer an alternative in that "in a small number of BYOD scenarios [contractors can run] our device management software."

Even that sounds complicated. Still, what she's advising is sound judgment from the core company's point of view. These requirements should be part of any contract agreed upon with a third-party vendor or service provider.

2. The extended workforce needs to use phishing-resistant authentication.

This was already mentioned, but it's important and also applies to verification of employment candidates and employees and contractors who call the help desk.

"We issue a YubiKey to every contractor," Wylie writes. "This offline security key has to be activated before the contractor can access any of our systems, and it’s also used as part of our identity verification process if a contractor needs to work with our help desk."

Okta uses the Yubico Pre-reg service that lets Yubico register individual hardware keys to individual users before they're shipped from the Yubico facility. This lets the users start using the keys right out of the box, which is pretty cool.

This service is also available to clients of Okta's own workforce identity-management platforms. If your company hasn't deployed Yubikeys or similar FIDO-compliant hardware keys, there are other, albeit less phishing-resistant, multi-factor authentication methods for remotely verifying the identity of contractors (and employees):

  • sending a push notification to the person's pre-registered personal phone
  • using a temporary code sent via SMS to a pre-registered phone number
  • generating a temporary code with a pre-registered generator app
  • emailing a secret password to the person's registered primary or secondary email address.

3. The extended workforce needs compulsory security training.

Wylie says contractors for Okta are trained in general security awareness, in data privacy and in physical security — the same training that Okta employees receive.

If you apply this to your own organization, some third parties may not like their employees having to undergo your company's security training, but you can tell them it's a requirement to do business with you.

"We're very serious about this," Wylie writes. "Contractors who neglect their responsibilities will get a ping from me, which is probably not the highlight of their day."

She also emphasizes the importance of training to spot social-engineering scams, especially because contractors who work with Okta will become high-value targets.

Wylie implies that contractors need to be careful about what they add to their LinkedIn profiles, such as that they're working with Okta. That should be the rule about contractors who work with any high-profile company.

In the summer of 2023, the Scattered Spider campaign tried to trick service-desk technicians at several large organizations into resetting Okta administrator passwords. Most of the efforts failed, but the attackers succeeded with MGM Resorts International and Caesars Entertainment, locking up their systems with ransomware and resulting in losses of $100 million at the former organization and a reported $15 million ransom payment from the latter.

Okta itself was not directly targeted by this campaign, and the weak spots were the casino companies' help-desk personnel, not Okta platforms or procedures.

Third-party contractors and vendors might also be targeted in their personal lives, for example through a dating app or even a casual conversation on LinkedIn. For those reasons, security training is especially important for the extended workforce.

"That added awareness could lead to a little bit of suspicion," Wylie writes. "That little bit of suspicion might be the difference between becoming a victim of social engineering versus connecting the subtle dots that show something is a bit off. And connecting those dots could allow the targeted individual to hit the brakes or report the threat before damage is done."

Verifying remote individuals

Many of these same lessons can be applied to hiring and managing remote employees. There have been many reports of North Korean agents attempting and sometimes succeeding at getting remote jobs with Western technology companies.

"The risk posed by North Korean hackers is serious and should not be underestimated, but identity fraud extends beyond individuals acting on behalf of regimes," Wylie writes. "Sometimes, applicants use proxies to apply for a job — the person who shows up to work is not the same person the company interviewed."

How do you guard against this? How can you make sure the job candidate, whether applying for a full-time position or as a temporary contract worker, is who they say they claim to be if you can't see them in person? There are several methods that work best when used together.

The simplest is to try to get at least one in-person interview. See if the candidate will travel a short distance to meet with a trusted company representative, if one is available.

Once there, the candidate can provide some kind of government-issued identification with a photograph, such as a driver's license or passport. Okta recommends the job applicant, whether interviewing remotely or in person, provide two such forms of ID.

The applicant should be required to undergo live, on-camera interviews. There are technologies available that can spot "deepfakes" during live remote interviews.

Ask the candidate for references, and contact those individuals given as references through channels (such as via LinkedIn or through industry contacts) other than those provided by the candidate.

Ask for copies of voided checks from the candidate's bank and check the validity of the account and routing numbers.

In general, the hiring department needs to be trained to spot potential signs of fraud by job applicants such as:

  • inconsistencies in the spelling of the candidate's name
  • reluctance of an applicant to appear on camera
  • reluctance of applicants to provide information about their backgrounds and qualifications
  • discrepancies between a candidate's home and shipping addresses
  • inconsistencies in the applicant's social media profiles, such as mismatched photos or places of residence

Safeguards also need to be observed after an employee or contractor is hired. Okta's internal policy is to ship the new hire a company-managed laptop and pre-registered Yubikey right away so that personal devices aren't used to log into the company network.

If your organization ships out managed devices, be wary of sudden shipping-address changes, make sure the shipping address is a legitimate address, and never ship to P.O. boxes.

Use Yubikeys or other phishing-resistant measures to verify an employee or contractor's identity when they call the help desk to claim they've been locked out of their accounts.

And, Wylie adds, never take your eye off the ball. "It's important to regularly revisit your training and procedures for verifying the identities of your remote workers," she writes. "Adversaries are highly motivated to find workarounds to your defenses, and a safeguard that was highly effective yesterday might not be as reliable tomorrow."

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds