by Jeremy Walker , CISSP/ISSAP
At first glance, the Colonial Pipeline hack appears to have been orchestrated by a multi-national, multi-agency coalition using highly sophisticated artificial intelligence (AI) enhanced polymorphic malware that was able to evade multiple layers of technologically advanced security mechanisms. The malware was part of a multi-million node distributed neural network that leveraged emergent learning algorithms to analyze the pipeline’s defenses and adapt its code.
If it really took that level of sophistication to bring down critical infrastructure, we may be able to sleep a little easier, but that is not what happened in the case of the Colonial Pipeline. The unfortunate reality is the pipeline hack occurred primarily due to a compromised VPN password.
Cybersecurity industry experts, necessarily, continue to promote raising the bar past the relatively attainable defense in depth into “Zero Trust”. The standard is to impose multiple factors of authentication – something a user knows, something a user has, and something a user is. The most secure authentication process will have the user perform all three types.
Many organizations, however, are still not positioned to fully enact either posture as the costs associated with true and balanced defense in depth is costly, while unilaterally architecting, deploying, and maintaining a wholistic defensive perimeter around every internet-accessible system and subsystem, zero trust, can be monumentally expensive. When the element of user friction is added in because you are making the user perform extra tasks, it’s understandable why many organizations are rolling the dice and hoping the hackers will not call their number.
So, what do we do, is all hope lost? Well, no. Having spent a large portion of my life in the military environment, the design principle “KISS” or keep it simple, st*pid is engrained into me. In reality, we should be practicing “keep it simple and secure”.
A company that spends millions of dollars securing its enterprise was severely compromised, and it paid a multi-million-dollar ransom to regain access to its data. The compromise was not enabled by an overly elaborate or brilliant zero-day vulnerability. This was simple social engineering – stealing a password.
The Verizon 2021 Data Breach Investigations Report states “As we have pointed out in previous reports, Credentials remain one of the most sought-after data types.” It also notes that 61% of breaches involved credentials (passwords) and a whopping 85% of breaches involved the human element.
Passwords continue to plague our security landscapes. They are responsible for the aforementioned Colonial Pipeline hack, and numerous other hacks including:
Experian - penetration was achieved by the hacker posing as a private investigator from Singapore and convincing staff to provide credentials to the internal database
Uber - the hackers were able to access Uber's GitHub account, where they found Uber's Amazon Web Services credentials
Dropbox - the Dropbox data breach resulting in 60 million user credentials being stolen, purportedly due to an employee reusing a password
SolarWinds - according to security researchers SolarWinds update server was accessible by using the simple password "solarwinds123”
So, what do we do? Is all hope lost?
Well, no. Having spent a large portion of my life in the military environment, the design principle, “KISS” or keep it simple, stupid is still engrained in me. In reality, we should be practicing the principle, “keep it simple and secure”. Is there a simpler and cost-effective mechanism by which organizations can make meaningful strides towards building a more solid foundation for their ongoing security efforts? What is the simplest way we can get the biggest bang for our bucks? We should eliminate passwords, period. For those systems where a password is unavoidable, put additional factors in place that don’t just make a human jump through another ring of fire, but execute something that is easy and much more secure.
I am certainly not making the case for ceasing, or even limiting, the myriad of security controls necessary to fully protect critical networks; I am, however, making a case for building these controls around a cost-effective and efficient foundational framework- a foundation that removes passwords as a primary authentication mechanism.
We must focus on the objective and solve the underlying root cause. It is not complicated. Let's take a simpler approach, and not come up with complex solutions to simple problems.
Provides Multi-Factor Authentication (MFA), including biometrics, to positively attribute an authentication event to a particular user which eliminates unauthorized user’s ability to access organizational resources like VPN;
Enables secure certificate-based authentication with decentralized key stores, where the password is no longer needed. By removing centralized password repositories, hackers no longer have a password repository to harvest passwords for use in later hacking attempts;
Uses patent pending Full Duplex Authentication (FDA)® which enhances the traditional FIDO authentication model with server-to-user authentication. Before the user sends their authentication information to the server, the server authenticates to the user- eliminating impersonation attacks.
The foundation for future security must include eliminating passwords. By combining certificate-based authentication with biometrics the certainty that the authenticating party “is who they say they are” is essentially unequivocally assured. Pair that with Full Duplex Authentication®, where the server is assured for the user, thus creating a high unbreakable chain of security.
A simple and secure solution that works.