It has now been more than a month since the attack on Colonial Pipeline that resulted in the shutdown of the largest fuel pipeline in the US. Investigators now know that the intrusion was made possible by an exposed VPN credential. A VPN (Virtual Private Network) is used to securely connect to a network from a remote location. VPNs use encryption to create a remote network connection for workers to have access to a company network. While VPN technology is very secure, it is still only as good as the security protecting the credentials used to operate it.
In this case, Charles Carmakel, senior VP at the cybersecurity firm Mandiant, part of FireEye Inc., reports that a user’s password was exposed on the dark web and that hackers used that password to gain VPN access to Colonial Pipeline’s network.
Simply put, when you sign in somewhere with a username and password, your password is one factor of authentication. Multifactor is just the use of more than one method of authentication.
Several security oversights contributed to the breach being able to happen. First, the account used by the hackers to gain access was no longer in use by the company, but it had failed to be deactivated and was still active. Furthermore, multifactor authentication was being used to secure the VPN accounts.
Multifactor authentication may sound complicated, but in practice it’s very easy to understand. Simply put, when you sign in somewhere with a username and password, your password is one factor of authentication. Multifactor is just the use of more than one method of authentication. You have already been using multifactor authentication, possibly without knowing it. When you log into your bank account, Gmail, or any other type of account that you have set up and it texts you a PIN code to enter in along with your password, that’s multifactor authentication. The system is simply using more than just a password to make sure you are the one who is signing in.
Another security practice that can be put into place is the proactive scanning of the dark web for usernames and passwords. There are services available which actively run scans of the dark web, looking for breadcrumbs of information of users that belong to an organization. Finding these exposed credentials can help give early warning to potential attack vectors and mitigate damage to a business.
Author: Josh Cochran, President and CEO of Diverse CTI
Josh has worked in Information Technology and Telecommunications for over 25 years. He is an expert in business, technology, and entrepreneurship and currently owns an IT and Telecommunications company based in Oklahoma City. He also speaks on these subjects and many others at many engagements across the country.