By BECKY RUTHERFORD
How do you shut down a 5,500 mile long gas pipeline? According to recent news reports, one compromised password was all it took for attackers to bring the pipeline to a screeching halt.
Cyber responders to the Colonial pipeline ransomware incident reported that the breach was likely due to an employee’s compromised password posted in a batch of breached passwords on the dark web.
The password belonged to an employee’s VPN account. The account was no longer in use but hadn’t been deactivated. In addition, Colonial wasn’t using multi-factor authentication on the employee’s VPN account.
What went wrong for this to happen, and what are some takeaways for users?
- The first rule of cybersecurity club is… “harden” your systems and networks. Hardening a system means that if you don’t need an account, software, service, etc., remove it, thus reducing your attack surface. By leaving things you don’t need on your networks and systems, you are potentially giving attackers a way to get in. If this account had been deactivated, the attackers couldn’t have used it to get in.
- How was the employee’s password breached? Chances are it was a password they reused on other sites. Many people tend to pick a password and reuse it across their personal and work accounts. Sometimes they may create variations on the password, like muffinpants1, then muffinpants12, etc. If your password gets breached, and you are using that password across work and personal accounts, attackers can use that one password to get into any account you used it with. It’s simple to automate ways to guess passwords across multiple sites. Once the attacker does this and finds out which accounts shared that password, they can break in and do whatever they want. Stop reusing passwords, and start using a password vault service to create complex passwords automatically, and then save them in the online password vault. There are many password vault services out there like LastPass, Roboform, Norton, and many more.
- Multi-factor authentiwhat? If you aren’t using multi-factor authentication (MFA) with any service that offers it, you need to start. Without MFA, if your password is breached on an account, the attacker has an easy in. If your password is breached on an account protected by MFA, the attacker will be unable to log in without your verification of the activity. How does MFA work? It’s simple, you usually need to go to the security settings for whatever account you are using, and you can set it up there. MFA means that rather than anyone with your password being able to log in, a second factor of authentication must be used before the website will allow the login. Usually, this second factor is something like your phone number (you get a text asking to allow the login), an authentication app (Google authenticator, etc.), or a physical security key (Yubikey).
So while chances are good that if your password gets breached, it won’t knock out one of the top US pipelines, it’s still going to be painful to deal with. Use good password hygiene, and keep attackers out of your online accounts.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.