In June of 2014, we saw one of the first hacks that actually put an organization out of business entirely. The company, Code Spaces, was a small software code hosting service that was housed entirely in Amazon Web Services. A malicious attacker compromised their account’s control panel, and numerous extortion attempts were made (along with several DDoS attacks targeting the company). The attacker created multiple backdoor accounts to gain access, and ultimately succeeded in destroying most of the company’s AWS assets when they refused to pay the ransom. How did the attackers compromise the account in the first place? Simple - they compromised an administrative account, logged in, and then created new admin accounts for their own use.
There are a lot of lessons to learn from this compromise scenario. First, the company did not enable multifactor authentication on the management interface, which provided the initial entry vector for the attackers. By simply brute forcing an admin account, they gained access with nothing more than a username and password. All privileged accounts should have more stringent authentication standards in place. Another major mistake made in this scenario revolved around logging - the brute force attacks should have triggered some sort of alarms, but the company was not carefully tracking privileged account activity through log and event monitoring. Logging all privileged account activities should be a top priority for security teams who want to ensure privileged access isn’t abused. Finally, the company was obviously unable to identify and track all the privileged accounts within their cloud environment, as the attacker was able to get back in and wreak havoc. Every privileged account should be unique and carefully tracked in an account inventory.
There were lots of other issues that contributed to Code Spaces’ downfall, but at the core of the problem was an obvious lack of awareness and concern for privileged access to their most important assets. This is becoming a much bigger problem with cloud services, as organizations are finding new privileged accounts that don’t integrate with corporate directory services, incompatible API access for identity management services, and “shadow” cloud services in use that they may not even be aware of! With more sensitive data being sent to the cloud than ever before, this is an issue that organizations need to get a handle on, and the sooner the better.
To start, security teams need to start monitoring privileged users initiating sessions to cloud-based services and administrative interfaces. Just keeping tabs on outbound access to cloud providers and looking for admin access can go a long way to identifying what types of accounts are in use. Tracking those accounts and protecting them with strong privileged user management tools are also steps organizations need to take to better secure Webcasts |
-
Resources
How to Secure Privileged Session Access to Cloud-based VMs
In this webinar, we will look at several different ways to more safely provide admins with SSH/RDP access to VMs in the cloud.
Register nowOn the Blog
- Ransomware: A Problem of Excesses (Access, Privileges, Vulnerabilities)
- Remote Support Version 19.2 Introduces Market-Leading Capabilities to Simplify Workflows & Enhance Security
- Insights & Highlights from my first Microsoft Ignite Conference
- November 2019 Patch Tuesday
- No-Impact and Zero-Friction Cybersecurity, Is It Possible?
News
- BeyondTrust Remote Support 19.2 Simplifies Workflows and Enhances Security
- Bridging the gap: Can DevOps help embed security into the development process?
- The employee threat: How to remedy poor cyber-security practice
- The Top Security Predictions for 2020 and Beyond
- BeyondTrust announces its top security predictions for 2020 and beyond