Colonial Pipeline, the operator of the pipeline that transports 45 percent of the petroleum on the East Coast, disclosed in early May 2021 that was hacked.
The company’s president as well as Chief Executive Officer, Joe Blount, testified before the Senate Committee on Homeland Security and Governmental Affairs that the hackers infiltrated their network using a hacked legacy VPN account.
Almost every aspect of security has failed in this incident:
- A list of stolen data including compromised credentials.
- Multi-factor authentication was not used to secure the account.
- To get access, the attackers used a (most likely unmonitored) older service.
- The compromised profile was most likely a leftover profile created by the IT staff at a previous time, and they simply lost track of it, failing to stop its access to their network while switching to a different system.
Their error shows a widespread issue: access is provided to identities, but supervisors lose sight of these authorizations, leaving them vulnerable. The hazards associated with this mismanagement are only rising as the volume of user-less accounts grows, but there is still hope if your business is capable of certain standard security hygiene.
Out Of Sight, Out Of Mind – Yet A Risk Nonetheless
As per our own study, 6% of a firm’s user profiles are inactive. But just because they’re not in use doesn’t mean they can’t be harmed. If an attacker acquires admission to one of these profiles, particularly if it is unsupervised, they can utilize the rights granted to access the company’s assets.
These accounts may have belonged to past workers who have subsequently left the firm in certain situations. Others could have belonged to persons who have switched roles are now no longer utilizing their IDs.
While these are difficulties that must be addressed, Identity Governance and Administration (IGA) technologies make a decent job doing it within the Joiner, Mover, Leaver Lifecycle Management paradigm.
However, these methods have weak points in areas such as managing empty groups as well as robotic identities. Rights can be exploited and abused in both categories.
Even though empty teams aren’t many in an organization, they frequently have accessibility to a lot of files, providing criminals with a broad enough opening to steal data or create disruption without discovery.
When it concerns robotic identities, this situation doesn’t really improve. These are the utility accounts, which are utilized for a variety of functions and, as such, have a wide range of permissions –– even admin access in some circumstances. According to Forrester, the number of non-human IDs has more than doubled in the last year.
How to Detect, Monitor, and Correct
The first step in gaining control of your accounts and asset approvals is to understand what you have. This begins with a scan of any and all your XaaS environments — IaaS, SaaS, and PaaS – to determine which identities have access to which assets.
This entails consuming data from these many settings, normalizing it into a usable model, and then correlating it with your IDs from your Identity Providers (IDP) such as Okta, Azure AD, Ping, or Google.
The purpose here is to understand the link between the identities and assets, considering a wide variety of characteristics such as their utilization and if they are appropriately scaled to satisfy the organization’s policies/needs.
Is there an identity with access to assets that haven’t been used in at least 60 days? This may be a good moment to withdraw those permissions. But that’s only the tip of the iceberg. When you start studying your entitlements on a deeper level, you’ll see that your identities have more privileges than you’d care to acknowledge. This is particularly true for privileges that should never have been given, to begin with.
Once we realize what we have, we must determine how we will: a) repair all of the misaligned rights that have accrued through time, and b) set a plan for doing it right from now on.
As you watch, correct any hazardous authorizations that appear. If you come upon an empty group, close it down. The same may be said about robotic identities that aren’t infrequent usage.
If you automate your entitlement provisioning process, it will be simpler to cancel permits and restart them later than it will be to cope with a crisis.
To effectively eliminate the dangers associated with unused identities, we must migrate to a state in which we are continually absorbing data, checking for infractions, and remediating.
The existing level of frequent inspections may satisfy auditors, but it is insufficient if we are to impose adequate security standards in the future.