Cloud Security Expert Analyzes Colonial Pipeline Security Breach
Security Breaches Flow Downhill
2021 has been characterized by security breaches, most prominent of which was the Colonial Pipeline security breach. What makes these breaches different from the past is the immediate impact felt by the general population, vs. a specific batch of names/accounts in a compromised database. In the past, you received a generic notification in the mail detailing an unspecified event and a new debit card.
This year, national news sends you to the local petrol station on your lunch break hoping there is still a little Texas Tea to be had. Although details are still being released about the methodology used in the Colonial Pipeline attack, password integrity is the first thought on everyone’s mind.
Early Assessment of the Colonial Pipeline Security Breach
A Bloomberg article issued earlier this week highlighted many suspected security shortcomings at Colonial that caused the shutdown of the nation's largest fuel pipeline; namely, a single compromised password.
“Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a virtual private network account, which allowed employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network, he said.
The account’s password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked, he said.
The VPN account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial’s network using just a compromised username and password.”
Back to the Basics: Colonial Pipeline Security Breach Highlights Principle of Least Privilege
Colonial made a solid move by securing their private network with a VPN. It seems, however, that the failure came from failing to properly manage user accounts and enforce better security policies.
As we explored in “AWS IAM: Securing AWS Users,” the most fundamental rule is the Principle of Least Privilege; only grant a user what is needed to complete the task. Limiting what a user can do drastically reduces the impact of a compromised VPN.
Consider if the compromised Colonial account only had access to print the annual billing report. [This may or may not apply to the situation at Colonial, as it has not been stated if the compromised account had appropriately-throttled permissions.] AWS recommends a bottom-up approach; starting a user with no privileges and adding privileges as needed.
Do Users and Passwords Age Like Fine Wine?
USERS: Appropriate access permissions or not, a user no longer in use is a valid concern. This can easily be missed, as user administration can be tedious and requires frequent review as employees and technologies come and go. AWS IAM streamlines this management.
At a glance via the IAM console, you can see useful user account metrics. These metrics can be sorted by date.
You can also download the Credential Report in CSV format for review.
Users found to be dated or defunct should at the very least be deactivated; they can always be reactivated later.
PASSWORDS: In the case of the Colonial Pipeline security breach, even if an old user had escaped a credential report audit, access could have been prevented by setting a more strict password expiration policy. If the password for an account must be reset after 30 days time, then even compromised credentials after that period will be of no use. Auditing password age can be done similarly as shown above.
Enforcing a stricter password expiration policy can be done in the Account Policy page of the IAM Console, where you can set a custom password expiration age. This security option can be further strengthened by:
- Requiring an admin to reset the expired password
- Disabling the reuse of up-cycled passwords
- Preventing users from using easy-to-guess credentials
Be mindful that the password policy applies to the whole of your AWS account, not just for specific users.
Wash, Rinse, Repeat? Colonial Pipeline Security Breach Could Have Been Prevented with Unique Passwords
Although AWS can discourage password reuse, it can’t altogether stop it. The use of sequentially-incremented passwords are sometimes collateral damage from tighter password expiration policies. For example, a fictional user Webby Vanderbuilt updates her password every month from “dagobahswampwisdom5” to “dagobahswampwisdom6,” etc. If these credentials -albeit dated- were sold or used nefariously sometime later, it would not take much to guess what the current password might be.
“... A Colonial employee may have used the same password on another account that was previously hacked.”
In our hypothetical example, Webby Vanderbuilt’s account credentials were stolen from insecure systems on her favorite gaming platform. At her place of employment, even years later, her username and password “dagobahswampwisdom66” are both similar enough to result in a compromised user account.
For security sustainability, go for unique, single-use passwords. Do not wash, rinse, repeat.
Kick It up a Notch! (with MFA)
The Bloomberg analysis of the Colonial Pipeline security breach states that the:
“account, which has since been deactivated, didn’t use multifactor authentication, a basic cybersecurity tool.”
With Multifactor Authentication (MFA) enabled, at login the user will be prompted for username and password as normal (first factor), but also from a time-cycled authentication code from an MFA device (second factor). MFA devices include:
- VIRTUAL, i.e., from an app that runs from your phone and generates a rotating unique six digit code
- HARDWARE, i.e., a physical device that generates a rotating unique six digit code
- U2F security key, i.e., a USB authentication device that is inserted and activated when requested
- SMS, i.e., a unique six digit code sent via SMS text message
Punch Buggy! (No Punch Backs!)
Colonial Pipeline paid a cyber ransom of $4.4 million in Bitcoin to regain their data from the attackers. However, according to news sources, much of this ransom has been recovered. CNBC reports,
“Once the FBI had that wallet in hand, it’s extremely unlikely they broke something called the ‘Elliptic Curve Digital Signature Algorithm,’ which is how the digital currency ensures that bitcoin can only be spent by the rightful owner.
“‘In fact, that is so far-fetched, as to be impossible,’ said Nic Carter, founding partner at Castle Island Ventures.
“What’s much more likely, according to Carter, is that they were able to access a server where the hackers stored private key information. That points not to any fundamental flaw in bitcoin’s security, but rather a case of bad IT hygiene for a criminal organization.”
It appears that better security policies would benefit those on both sides of the fence.
The Colonial Pipeline security breach could have been prevented by proper user management with a service like AWS IAM. While AWS IAM is free to use, it’s a complicated system that many find difficult to use. However, proper use is critical for protecting the security of your infrastructure. Get confident in your cloud security. Start a conversation with our AWS cloud experts and contact us.