This article is part of Panther’s new Future of Cyber Attacks Series which features interviews with cyber security experts, thought leaders, and practitioners with a goal of better understanding what organizations can do to prepare themselves for the future of cyber attacks.
The following is an interview we recently had with Steve Tcherchian, CISO and Chief Product Officer at XYPRO.
The SolarWinds and Kaseya incidents showed us what types of multifaceted attacks are being used. It’s not a matter of if they’re going to get into your network. They’re going to get in. In the SolarWinds attack, once the attackers gained access to the network with compromised credentials, they moved laterally by capturing and using multiple, different, insecure credentials. Our efforts should focus on shoring up internal systems to limit their ability to move laterally using insecure credentials and passwords once they’re in. Proper password management and multi-factor authentication would have prevented this from happening.
This is counterintuitive to traditional methods of security where locking the front door was once considered to be good enough. But time after time we’ve seen that it is no longer sustainable. Defense in depth is required. We need to treat locking up all the valuable systems and information inside of our network as being just as important as hardening our perimeter. ZERO TRUST SECURITY!
The proliferation of Internet of Things (IoT) devices, an expanding remote workforce due to the pandemic and the need for automation has put “smart devices” into the spotlight. We’ve all heard the stories of attacks on IoT devices. Remote attackers viewing baby monitors and home security cameras. Estranged couples trying to annoy each other by remotely adjusting the thermostat. Even instances where a smart switch was hacked and all the attacker did was turn the switch on and off rapidly where it generated a spark and started a house fire. These are extreme examples but IoT security is a real problem.
The functionality and simplicity of IoT devices is great. These conveniences come at a steep price. The tradeoff is often security and personal data. For an IoT device to be quick to market, affordable, easy to set up and useful– usually important, non-valuable functions like security are cast aside. Off the shelf IoT devices usually have hardcoded default passwords. These passwords can be located by a simple Google search. Manufacturers often post their device passwords online to aid in the setup of their device. Some of these devices have passwords like admin/admin. Multiple devices from the same provider or chip maker may all share the same password. Some devices have hard coded passwords that cannot be changed. I’ve even seen devices with no passwords. Securing these devices needs to start at the source.
This vulnerability, connected to the internet via the same Wi-Fi we’re all using to do remote school, play video games and work from home during a pandemic creates a big threat to the remote workforce. These insecure devices provide an easy entry point into home networks and given time will allow attackers to move laterally into corporate networks. I don’t see this risk going away. In fact, as the remote workforce gets more comfortable working from home and the market continues to be flooded with smart devices and automation, this problem will get much worse.
Unfortunately, unless required by compliance or by government legislation, I predict that we will see very little from the business community in this regard. That is not to say there aren’t software vendors and IoT manufacturers who want to do the right thing, but unfortunately without external pressure, most won’t.
One of the most critical security risks to any organization are passwords, especially default passwords and passwords to privileged accounts, which have elevated access to perform administrative functions. These can be administrator accounts, service accounts, database connection accounts, application accounts and others. Most of these accounts were set up ages ago when an application or system was initially deployed. They have multiple integration points and because of the risk of “breaking something,” the passwords for these accounts are rarely rotated, likely shared and often improperly stored.
Privileged account abuse is the most common way for hackers to compromise a system. Proper credential storage and accountability is paramount to risk mitigation. Relying on manual methods is resource-intensive, error-prone and leaves gaps.
According to a Varonis report, nearly 40% of all users sampled have passwords that have never been rotated! These passwords have a higher likelihood of showing up in online password dumps and being used to infiltrate networks. Simply put – they’re a cyber criminal’s best friend. This is how hackers walk in right through the front door. Not because they’re clever, rather because we make it too easy for them.
