VPN Without 2FA Was Source of Colonial Pipeline Breach
Author: Anders Adolfsson, Product Manager
Previous << ACME support now available in vSECCMS
When the Colonial Pipeline was hacked a few weeks back, it created shortages of fuel up and down the East Coast of the U.S. for days. In the weeks since the ransomware attack it has been determined the hackers, who call themselves “DarkSide,” infiltrated the system via an unprotected Virtual Private Network (VPN).
Reportedly, the VPN was in use so employees could access the pipeline’s networks from remote locations. A security company executive explained the breach in news interviews and said while the remote access account was tied to an inactive employee, the account itself remained active. This is why auditors ask for the process of timely removal of leavers. Connecting access credential revocation to the HR offboarding processes is just as important as issuing credentials during onboarding. Versasec’s vSEC:CMS IAM-functions and its APIs enable powerful and secure workflows to address this.
The password to the "inactive" account was exposed on the dark web, along with other exposed passwords, and that was how the DarkSide hackers gained access.
There was no multi-factor authentication (MFA) requirement on the VPN account. Frequent readers of this blog know we are among the most fervent promoters of multi-factor authentication. In the case of Colonial Pipeline, the company was using the VPN so users could log in remotely – a scenario used by nearly every enterprise around the world during the global pandemic, and one that will likely continue in high numbers even post pandemic.
Many organizations already have deployed PKI with MFA for their computer and domain authentication, but still leave other vectors open for attacks by relying on passwords or less secure two-factor authentication (2FA) solutions like one-time passwords (OTP). With PKI and hardware/virtual credentials already in place, the same easy task of issuing a credential to be used for the desktop login can just as easily be extended to issue a credential that is valid for authentication/logon, disk encryption, remote access/VPN and digital signatures. Therefore, companies should explore all areas where identification and authentication are performed. Implementing Versasec’s vSEC:CMS simplifies the process even more, not only does it integrate with all the major industry leading virtual and physical credential devices but it also provides fast and easy connections to Certification Authorities, HSMs and many other enterprise security products that will upgrade your IAM infrastructure.
For those companies using Windows Hello for Business for their MFA solution, we have great news. With vSEC:CMS, it is simple to manage the WHfB credential and add additional certificates from additional PKIs, which allows the WHfB investment to extend beyond Windows domain authentication alone.
If you’d like to learn more about how Versasec can help your organization ensure and manage its multi-factor authentication, contact us here and click on the chat button.
Photo by Michael Geiger.