The recent news of a cyberattack on a water treatment plant carried out by a remote perpetrator came as a shock to organizations around the world.
Earlier this month, an unauthorized threat actor had remotely accessed the plant’s control systems via TeamViewer and used it to increase the amount of sodium hydroxide (lye) in water to dangerously higher levels. Fortunately however, a vigilant operator at the plant identified this anomalous activity in real time and blew the whistle internally to prevent any potential damage. While the incident is still under investigation, security analysts across the globe have unanimously agreed on the fact that poor access controls and security hygiene have paved the way for this incident.
To put things in perspective, there was no sophisticated or complex attack strategy involved in this incident; the attacker was able to breach the public infrastructure by simply taking advantage of the treatment plant’s lax security practices.
The silk route to privileged information
Attackers do not always need to design advanced hacking algorithms to carry out their plans; sometimes they simply pick stolen or compromised credentials from the dark web to hack into critical networks. They may also use simple techniques, such as phishing, keylogging, and brute forcing to gain access to their target machines.
While it is true that attack methods are rapidly evolving, it’s more often misuse of administrative privileges and weak or stolen credentials that are enough to breach any critical infrastructure. Let’s take the attack on the Florida water treatment plant for example—all it took the unidentified perpetrator was one unprotected password to access and handle the control systems remotely.
With work from home being a prevailing necessity among the global workforce, corporate VPNs and privileged remote sessions are the only way through which employees can access their corporate resources. However, with remote work growing popular across the globe, there has also been a significant surge in the number of remote-session-based attacks, where cyber criminals break into critical infrastructure using compromised credentials. Since the credentials are legitimate, attackers can mimic legitimate users to avoid being detected.
Simply put, it is often the known, neglected, and underestimated vulnerabilities that provide cybercriminals with an opportunity to exploit the administrative access to privileged resources. Time and again, incidents like this prove that when passwords are stored in secure vaults and are subject to standard security practices, the chances of getting hacked are far lower.
The Goldilocks approach to proactive cybersecurity
Security is not a one-time process; it has to be approached and improved holistically. While it’s crucial to stay on top of threats by employing advanced defence controls, it is equally imperative to consistently ensure that the often ignored or neglected fundamental elements of security (read credentials) are fortified. This involves following a certain set of basic security hygiene, such as:
Ensuring and mandating strict password policies
Including multi-factor authentication controls
Securing privileged credentials in encrypted databases
Monitoring remote user sessions in real time
Identifying and terminating suspicious user activities
Periodic vulnerability scanning and patching of endpoints
Poor password practices, such as reusing and sharing critical credentials, are not uncommon and could open several security loopholes for attackers to exploit. Manual management and tracking of privileged credentials using spreadsheets is not just cumbersome, but also not reliable owing to the fact that one malicious or ignorant insider is all it takes to expose the credentials to criminals. Furthermore, remote sessions, when accessed by unauthorized users, could open the floodgates to sensitive information worth hundreds of millions of dollars.
That said, it’s imperative for organizations to employ sound privileged access security controls to safeguard access to sensitive information systems and monitor live remote sessions. This can be achieved by investing in a reliable privileged access management (PAM) solution that automates the mundane tasks of:
Discovering, consolidating, and storing privileged passwords in secure vaults.
Automatically resetting passwords based on existing policies and rotating passwords after every one-time use.
Assigning the least privileges possible to normal users and elevating their privileges if and when required.
Enforcing multi-factor authentication controls to authorize access to privileged resources.
Establishing a request-release workflow to validate user requirements before providing them with access to critical resources.
Monitoring remote user sessions in real time, terminating suspicious sessions, and revoking user privileges upon expiration of their sessions.
In addition, PAM solutions can proactively aid in eliminating the silos and monotony associated with access management controls. They provide effective automation to streamline credential and access security workflows, which allows IT admins to save their time and efforts for more important tasks.
How does ManageEngine help?
ManageEngine PAM360 is a unified, enterprise-grade privileged access management solution designed to help IT teams centralize the management and security of privileged credentials, and secure access to privileged remote sessions, such as databases, servers, endpoints, and more. PAM360 is secure by design, and complies with the mandatory requirements of Federal Information Processing Standards Publication (FIPS) 140-2. The salient features of our PAM solution include, but are not limited to:
Enterprise password vaulting and management
PAM360 enables periodic auto-discovery and vaulting of proprietary enterprise entities, such as passwords, documents, digital signatures, SSH keys, TLS/SSL certificates, and more. All credentials are stored in a secure repository that is encrypted using the advanced AES-256 algorithm. The solution also offers options for password admins to reset and rotate passwords periodically based on existing password policies, which helps in eliminating unauthorized access.
Secure remote access to privileged information systems
With PAM360, users can launch direct, one-click remote access to privileged systems, like servers, applications, databases, and network devices without exposing credentials to end users. Our solution provides an encrypted, agentless gateway for initiating RDP, VNC, and SSH sessions with bidirectional secure file transfer capabilities.
Security by design
PAM360 is designed to echo customer data security and offers military-grade protection to end-user data. Our product includes built-in multi-factor authentication controls, where users will be required to authenticate through two successive stages to access the web interface. Further, we provide integrations with top single sign-on (SSO), multi-factor authentication, and identity management solutions to enable seamless and secure logins.
Cutting-edge privileged session management
PAM360 comes with built-in mechanism to monitor, record, shadow, and playback remote user sessions, which not only aids in eliminating blind spots and bad actors, but also provides support for forensic investigation via comprehensive audit trails. Learn more.
Advanced user behavior analytics and event correlation
PAM360 provides contextual integration with security information and event management (SIEM) and IT analytics tools to consolidate and correlate privileged event data with other events across the enterprise. This enables IT teams to build basic user behavior patterns to spot and block malicious actors whose behavior deviates from the baseline pattern. Additionally, security teams can leverage this data to eliminate known vulnerabilities and make data-driven security decisions.
All in all, this cyberattack on a public infrastructure’s control systems just highlights that security breaches not only cost organizations their reputations alongside hefty penalties, but could potentially put many innocent lives at risk. Therefore, this is corroborating evidence of why organizations, especially those that serve the public’s interest, need to tighten their security infrastructure using a bottom-up approach.