IAM Controls are an integral part of your security protocols. Utilizing least privilege, among other things, reduces the likelihood of a breach.
Identity Access Management (IAM) controls are used to give employees access to specific systems and processes in your business. We have always stated that least privilege is the best way to set thost controls. Only give employees access to the specific systems they need to do their jobs effectively and efficiently. The fewer people who have access to internal systems, the smaller your surface area is for an attack. The smaller the target, the easier it is to miss.
Another key piece of IAM controls is ensuring that user IDs and passwords are unique, meaning the user doesn’t use the same credentials for multiple systems. This is something a federal agency learned last week when it suffered a breach. From ThreatPost:
“A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA. “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.””
As stated above, the bad actor had valid access for multiple users. This means that there was likely an effective phishing scheme executed at some point, or the agency’s inability to patch a known vulnerability created the exposure. Regardless, this is a prime example of why IAM controls matter, why passwords should be changed every 30-60 days for especially sensitive systems, why MFA/2FA are so important to employ.
With the access the hackers gained from the initial credentials, they were able to infiltrate systems, including the VPS, and bypass anti-malware protections that were in place. They established an SSH tunnel/reverse SOCKS proxy backdoor. They then deployed their malware, which opened a port that is typically closed, and exfiltrated data. The attack has been remediated, although it’s unknown when it actually took place.
Aside from implementing stringent IAM controls, it is crucial for businesses to train their employees on the importance of strong passwords and phishing schemes. People have so many passwords to try and remember, it’s common for them to be re-used for various sites, even at work. Encourage the use of a password manager, require password changes, use MFA where you can. But the absolute best thing you can do for your business is use least privilege. If someone doesn’t need access to a system in order to do their job, don’t give it to them!
If you’re a startup, or even an existing business, which needs to ensure the security of systems and processes, as well as protect sensitive information from nefarious actions, do your research. If it’s something you question or don’t fully understand, always consult an expert. When you do that, ensure that your expert is teaching you everything along the way. They may not be there to hold your hand forever, so it is important that you understand what goes into protecting your business.