IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

Back to Basics: A Deeper Look at the Colonial Pipeline Hack

Cyberattack_shutterstock_1448438039
Shutterstock

Hacked credentials and an old VPN were at the root of the Colonial Pipeline cyber attack. We’re taking a look at how cybersecurity basics can prevent future hacks and enhance security strategies.

News broke recently that the cyber attack on Colonial Pipeline Co. was due to a leaked password, an inactive VPN account and a lack of multifactor authentication.

The CEO of Colonial Pipeline Co. appeared before a Senate committee to outline the details of the ransomware attack, which resulted in paying millions in ransom (though most has been recovered through tracing cryptocurrency, thankfully).

As cybersecurity professionals, we are scratching our heads. Secure credential storage, VPN safety and multifactor authentication are some of the most basic cybersecurity principles. In fact, perimeters around access control (a feature VPNs lack), login attempts and authentication methods are all outlined in the CJIS Security Policy. And although CJIS requirements are hefty, they serve a great purpose: to protect state, local and federal governments from bad actors trying to threaten government frameworks, constituent rights and public peace.

Stronger cybersecurity is accomplished by securing connectivity into a network, keeping usernames and passwords safe, and verifying the identity of someone trying to gain access. It’s basic cybersecurity knowledge, but it’s undoubtedly overlooked across industries - including governments - due to limited time and resources, complexities in managing security strategies and the infamous “It won’t happen to me” mentality.

This is a football.

It’s time to get back to basics. That’s what Vince Lombardi did back in the 1960s, and it led his Green Bay Packers football team to five NFL championship victories within seven years.

After Green Bay lost the 1960 Super Bowl in the last few minutes of the game, Lombardi started the first practice of the next season by holding a football in his hands, standing in front of his players and stating, “This is a football.”

This might seem like a silly exercise for professional athletes who have played football for most of their lives. They not only know the sport, but they are the “subject matter experts” and best qualified to play. But their coach took them back to the beginning - all the way back to defining what football is.

The point of Lombardi’s speech and coaching method is simple: Fundamentals drive and determine results. We can shake off past mistakes instead of meticulously analyzing them to change the future, and instead focus on the basics. This requires asking key questions like, “What’s the problem?,” “How do we solve it?” and “What do we do?”

The same goes for government cybersecurity. So let’s ask these questions and, using the Colonial Pipeline attack as an example, look at why going back to basics is exactly what government institutions (and all organizations for that matter) need to do when it comes to their security approach.

WHAT'S THE PROBLEM?

Bad actors, hackers, cyber criminals - whatever you want to call them - are trying to infiltrate an organization’s internal network and systems to demand ransom, halt/delay production, cause organizational or reputational damage, or for harassment or vengeful purposes. In the case of the Colonial Pipeline cyber attack, the hackers demanded a ransom, so they were in it for profitable and monetary purposes.

We need to fix the problem of hackers entering a government’s internal network. Unfortunately, hackers have a variety of avenues to exploit, whether it’s employee/staff remote access through VPNs and desktop sharing tools (which was the case for Colonial Pipeline), remote connections for external third-party vendors, unsafe password storage or malicious code encryption. This begs the question, “How can you protect against these threats?”

HOW DO WE SOLVE IT?

Hackers are smart - but cybersecurity companies are smarter and continuing to get smarter. Solutions to cyber attacks have been developed so organizations can defend against hackers with bad intentions.

Let’s look at the factors at play in the Colonial Pipeline attack, which are common methods hackers will use to gain entry into a private network, and the solutions that should have been implemented:

LEAKED PASSWORDS

It’s reported that the password used in the cyber attack was included in a batch of leaked passwords on the dark web, which leads to the assumption that password security is not a priority. The Verizon 2021 Data Breach Investigations Report found that 61 percent of data breaches are caused by leaked credentials, which shows that credentials are still a highly coveted asset for hackers and must be protected. In fact, the largest password leak in history occurred in June 2021; a collection of 8.4 billion passwords make up the stolen credential forum, further proving the value of stolen credentials, whether personal or professional.

Solutions like password vaulting and safe credential storage can help organizations keep usernames and passwords protected. This provides a single source for your credentials and houses them all in one location that is ideally secured and locked.

Privileged access management (PAM) solutions are built to manage and control internal user activity and are typically paired with some version of credential management (or vaulting). When a PAM account is created for an internal user, the credentials of that new account need to be protected - this is where a “password vault” comes in. When needing access and retrieving credentials from the vault, users must go through their PAM tool for authentication, and a record of this activity is logged. This centralized storage method allows credentials to be reset after each use, which achieves advanced protection and allows for thorough auditing, which can help trace any suspicious activity back to the source. If implemented at an earlier time, these methods could have helped prevent the Colonial Pipeline passwords from being exposed.

VPN ACCESS

Vulnerable VPN access is one of the most common ways hackers enter a network. It was clearly evidenced in the Colonial Pipeline attack when the hackers “exploited a legacy VPN that shouldn’t have been in use.” While using VPNs to connect to local resources is commonplace, most don’t realize the real threat VPNs bring to an organization.

VPNs are an all-or-nothing tool - either a user has complete access to the network or none. With a VPN, there isn’t any way to give partial access or implement granular controls so that users can only access the specific areas of the network they need and nothing more. This risk is in direct opposition of the zero-trust model, which is so critical to enhancing government cybersecurity strategies that it was included in the new executive order on the nation’s cybersecurity. Zero trust is a cybersecurity approach that implements least privileged access and authentication protocols so the correct users are granted restricted access to only the hosts, ports and applications needed. Without control on what a user can access, the user has access to every part of a network - even the parts that are off-limits.

The VPN tool also doesn’t bode well for third-party accountability. VPNs don’t offer ways to monitor and audit third-party vendor activity within the network, so there’s no visibility into third-party session activity. If something suspicious happens, VPNs don’t offer the historical view of network sessions to trace back to the source of the issue.

Lastly, most VPNs can be accessed with a basic login. As we mentioned before, if login credentials aren’t protected, it does not take much for a VPN to be breached - a password on a Post-it note or a shared/borrowed login could do the trick. This is especially dangerous when authentication measures aren’t in place, such as multifactor authentication, to verify the identity of the user and confirm their access rights to a network.

Using an internal review system can mitigate the risk of faulty or inactive VPN accounts being used by the wrong people. An automated review system audits the access permissions for each individual user and should flag inappropriate access, which ensures the correct people have access to the correct applications and systems and that the people who shouldn’t be accessing certain systems are kept out. This helps to provision or de-provision users who could be inactive, terminated from the organization or no longer in need of the system license. If the legacy VPN was flagged and de-provisioned once the user was deemed inactive, Colonial Pipeline wouldn’t have provided that entryway for the hackers to infiltrate their network.

LACK OF MULTIFACTOR AUTHENTICATION

In the case of the Colonial Pipeline cyber attack, MFA could have prevented the hacker from gaining access to its internal systems and threatening to stop production of the fuel pipeline. This simple, yet extremely effective, security measure serves as the ultimate gatekeeper for those trying to access private networks, which is why it was also included in the executive order’s list of mandates. However, its power is still overlooked by many organizations; only 40 percent of participants in the 2021 SecureLink and Ponemon Institute survey rated MFA as “very important.” Even though this security method is seemingly undervalued by organizations, it’s still proven to be one of the most effective means of securing private networks and systems.

MFA is a multiple-step security approach that verifies the identity of an individual trying to access certain private information or spaces. A simple example of MFA is when using a debit or credit card. You not only have to have your physical card, but you also have to enter a PIN. Many forms of MFA have three steps:
  • The first step is usually entering a password to enter a secured space. After entering a password, an individual will be asked to authenticate their access attempt.
  • The second step involves receiving a security token (like a code) on a personal device or platform the individual owns (like via text message or via email) to confirm that the person logging in is the same person tied to those devices or platforms.
  • The third step is when the individual uses the security token to confirm their identity and authenticate their access attempt. This is usually done by entering the code on the platform where the password was entered or opening a link in an email to verify the individual’s email address.

Essentially, it’s making sure that whoever is logging in is the same person the account is tied to. When hackers use a stolen login to attempt access, the logins and personal accounts don’t match, and MFA will stop the access attempt from happening since the hacker won’t receive the security token and complete the authentication steps.

When MFA is complemented with additional security means, such as employment verification, identity and access management systems, and automatic provisioning and de-provisioning of user accounts, chances of an attack decrease dramatically. These measures create several barriers that are nearly impossible for a bad actor to infiltrate by confirming and authenticating identity, employment and user access.

WHAT DO WE DO?

Now that we know how to solve the problem at hand, it’s time to implement solutions. This may seem like a daunting task considering how many security measures were just outlined; but, as stated earlier, take a look at the basics of what you need to secure internal access and begin there. You can even use the Colonial Pipeline attack methods to see if your organization would be protected in a similar attack.
  • Are your passwords stored and protected?
  • Do you have a credential vault in place to safely store confidential logins?
  • Is there a workflow in place to review access permissions?
  • Is the access removed for old and/or inactive VPN accounts?
  • Are you able to implement least privileged access for remote connections into your network, whether that’s through VPN, desktop sharing tools or other forms of remote access?
  • Do you have multifactor authentication set up for your accounts?

Answering these questions are the first steps to figuring out which security fundamentals are needed to upgrade your security strategy. Once you know which programs and systems you need, you can look to solutions like SecureLink to provide each of these functionalities:
  • Zero-trust network access (ZTNA)
    • ZTNA encompasses the strategies of least privileged access, multifactor authentication, credential storage and injection (so external parties never have to see a password), and granular controls and permissions to securely manage access.
  • User access reviews
    • Role-based access control is critical for knowing which employees or external parties should have permissions to certain systems and - most importantly - which ones shouldn’t. Machine learning capabilities conduct internal access reviews periodically to flag inappropriate access permissions and audit any permission changes that occur.
  • Identity and access management
    • In order to know who needs access and what level of access is needed, you first need a way to inventory accounts and identities. An identity and access management system that logs the identities of each user, tracks their employment status and uses MFA to verify access attempts, can solve many of the issues organizations face regarding unknown user identities and access permissions.

To help evaluate your current protocols and to find what gaps are in your cybersecurity strategy, there are helpful resources available, like this checklist to evaluate the safety of your network access.

It’s not too late to change your security solutions. The Colonial Pipeline attack was a wake-up call for cybersecurity professionals and leaders across all industries, but especially vulnerable government entities. If this kind of attack could happen to one of the largest critical infrastructures in the nation, it could happen to anyone. However, there is a way to defend and fight back with solutions like SecureLink. Let’s get back to basics and solve remote access security for government institutions.