If there’s a more persuasive argument for identity governance and multi-factor authentication (MFA) than the Colonial Pipeline ransomware attack, it’s hard to imagine what it could be. As Bloomberg reported on June 4, hackers breached the company’s networks through a virtual private network (VPN) account that was a) no longer actively in use and b) not protected by MFA. Those two simple realities speak to the two questions that are fundamental to the success of any identity and access management strategy:
- Who has access to what, and what can they do with that access? (identity governance)
- How do you prove you are who you say you are? (MFA)
It doesn’t change anything about this event to play the “what if” game; still, one can’t help but imagine how differently the story might have turned out if that legacy VPN account had been properly disabled, or if MFA had been required to confirm a user’s identity should anyone try to use the account.
Hacking: The problem with passwords
It’s not just Colonial Pipeline by any means. Broadly speaking, security relies on passwords far too often, The 2020 Thales Access Management Index found that 40% of IT decision-makers believe a username-and-password combination to be one of the most effective ways to manage access to IT infrastructures. Yet that same year, the Verizon Data Breach Investigations Report found that more than 80% of hacking-related breaches involved either brute force or the use of lost or stolen credentials. In 4 out of 5 hacks, passwords failed to keep out the bad guys.
This is not to say organizations should get rid of passwords altogether—only that they would do well not to rely on them exclusively. The growing trend toward using more passwordless methods of authentication, and thereby reducing reliance on username-password combinations, makes sense for protecting any network that provides an entry point to critical resources. So does maintaining a program of identity governance to keep tabs on who has access to what and whether that access is appropriate, and taking corrective action when necessary.
Identity: The bedrock for all security
From how an organization manages access to how it authenticates users, identity is the first line of defense against ransomware and other online crimes. If attackers can’t get past identity safeguards, they literally can’t get anywhere. That’s why identity governance and MFA have such important roles to play in keeping attackers out and keeping digital assets safe. At SecurID, we’re fond of saying that identity is the bedrock for all security, a position reinforced by the credentials-based attack on Colonial Pipeline.
As always, we encourage all organizations to take ransomware and other kinds of cyber attacks seriously, and to take appropriate steps to prevent them. We’re here to help, with comprehensive capabilities for MFA (including passwordless authentication), identity governance and much more. If you’re concerned about your exposure, I encourage you to explore SecurID products and solutions and to contact us.