Unexpected consequences of data breaches

The hot news last week in IT security was a vast data breach at Stewart International Airport. A hefty 760 gigabytes of raw online data backup have leaked out due to simple human error. Deep analysis of this incident revealed that outside of the standard content you could expect in such a leak (like strategic planning, contracts, agreements, customer databases etc.etc.), the online copy also contained simple excel sheets with passwords to critical internal elements of the IT system.

Such "God Excels" seem to be standard practice now, when IT becomes complex while network components, databases or other critical assets still require static passwords for privileged accounts.

Those “unchangeable” passwords are distributed inside every IT system due to some legacy architectures or because of the design of the interfaces. Furthermore, they remain the same for the entire lifecycle of the component, as the process of changing them is either too costly or people forget to change them. Sometimes – due to human laziness – they get propagated through many system components, because it’s “easier” to use the same password everywhere (of course this is against all IT security best practices). 

Such an approach results in even harder access management, especially when it comes to handling critical situations or any kind of emergency. The organization cannot share the static passwords with external parties, e.g. subcontractors or emergency teams, because this will require a massive “password overhaul” operation afterwards in order to prevent further uncontrolled access.

Just imagine what's happening at the Stewart International Airport now? They are probably panicking and trying to change the compromised accesses. But even if they succeed, the attackers can still enter the system. Usually the data leak is revealed only as the last stage of the attack, when all other actions have already been taken. So the “bad guys” have already explored the system, planted their malware and left backdoors for future use. All without any trace. The only solution would be to rebuild the system from scratch, which usually doesn’t happen due to financial or timing limitations.

Similar security incidents can be effectively prevented by using a Privileged Access Management solution like Wheel Fudo PAM. It can securely store the static passwords for critical assets and change them based on a predefined schedule and policy (such as the length and randomness of the password chain). At the same time, Fudo policy precisely enables access to internal components without the need to reveal actual passwords, so your administrators and external contractors can complete their tasks easier than with manual logins. If required, you can elevate the system's protection further with strong authentication like Wheel Cerb AS. This way two-factor authentication (2FA) is available to guard access to important components even if they do not support extended authentication schemes out of the box.

Post Scriptum

While writing this piece, yet another major data leak case has surfaced. This time the leaked online backup contained superbly sensitive personal data of US military personnel subject to security clearance procedures. It also contained detailed method of password and encryption keys recovery. Just read the previous sentence again and think how your organisation's backups are arranged and how you manage the passwords...