How ignoring the PoLP and password123 can cost you $4.4 million

How ignoring the PoLP and password123 can cost you $4.4 million

Megan Barker by Megan Barker on

If you’ve heard the news in the last month or so, I’m sure you know about the Colonial pipeline cyber attack that took place at the end of April. If you’ve not heard about this, I’ll summarize the story.

On April 29, 2021, hackers gained access to the network of the largest fuel pipeline in the United States. The attack led to a ransom payment of $4.4 million and fuel shortages throughout the east coasts of the US and Canada.

I work in cybersecurity so I understand the risks we face in this digital world. But when an organization of this scale is thwarted by the smallest security gap, I still think, “How does that happen?”

On a purely technical level, I can tell you. The attackers - believed to be members of an infamous cybercrime group - hacked into the network through a Virtual Private Network (VPN). The VPN account that acted as the gateway for the attack wasn’t in use at the time, but it was still active (we’ll get to that in a minute).

The password was the other problem. It was later found that the password for the VPN account had been compromised. The attackers discovered it in a group of breached passwords online.

About that VPN

Now, I know what you might think, and don’t be so quick to blame the VPN itself. The use of a VPN wasn’t the problem. Virtual Private Networks are certainly not foolproof but they aren’t all inherently bad. Certainly you should rely more on TLS and encrypted DNS for protection, but VPNs can be useful and, in some situations, necessary. In the particular situation we’re discussing, a VPN would allow hybrid workers to access the Colonial pipeline network as though they were physically on the network.

No, it wasn’t the VPN itself — it was the unused account that was still active. If you remember a few months ago, we looked at the principle of least privilege (PoLP.) The foundations of PoLP are to allow bare minimum access:

  • to the items needed
  • where it’s needed
  • to who needs it
  • for as long as needed

The IT folks in charge of the pipeline’s network failed here. The VPN account clearly wasn’t needed any longer, and it should’ve been deactivated the moment that was the case.

Then there was the password

According to HaveIBeenPwned, there are 613 million (and counting) hacked passwords freely available online. The title of this post is a hyperbolic example - I have no idea if the password was password123 - but it doesn’t matter. What matters is that it wasn’t unique.

We can’t control the security of every website we visit; every online account we have. But we can control the security of our passwords.

Every time you or your employees set a reused password, your company and its resources are at risk. If your team members don’t use a password manager like 1Password, you could find yourself and your organization in a situation like this one quite easily. Not only does 1Password help create passwords that are complicated, random, and unique, those passwords are saved and secured. Beyond that, our Watchtower integration with HaveIBeenPwned allows you to see if and when your passwords appear in a breach so you can change them immediately. How’s that for foolproof?

So, what’s the answer?

I’m left with my original question: How does an attack like this happen, beyond the technicalities? We live in a world where password breaches and cyber attacks happen every single day, yet everyone - from individuals to massive corporations - is vulnerable.

The solution? The right tools and the right mindset. Even with the world’s best password manager, there needs to be a course of action. As Bruce Schneier once said, “Security is not a product, but a process.” Employ the principle of least privilege, change weak passwords, build a culture of security, and keep the conversation going.

Just don’t talk passwords. There’s a feature for that.

Security Scribbler

Megan Barker - Security Scribbler Megan Barker - Security Scribbler

Tweet about this post