Key Takeaways
Colonial Pipeline is a case study of the potential consequences of a vulnerable identity and access management system
Passwords pose many security issues and a slower user experience
Passwordless authentication is a growing industry that is more secure and frictionless for the user
What happened to Colonial Pipeline?
In April of this year, the nation’s largest fuel pipeline was taken down by a cyber attack that was launched from a single compromised password. Colonial Pipeline CEO Joseph Blount confirmed in a Senate committee that the attack originated from a legacy Virtual Private Network (VPN) system. “In the case of this particular legacy VPN, it only had single-factor authentication”, Blount stated. “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password”.
Single-factor authentication is now considered bad cybersecurity “hygiene”. The new industry standard is Multi-Factor Authentication (MFA), an authentication method that requires the user to provide two or more verification factors to gain access to a resource. The second factor of authentication beyond the password can be a security question or a notification to their smartphone, for example. In the case of Colonial Pipeline, MFA could have saved the company millions of dollars and prevented a week-long fuel crisis.
After hackers gained remote access to Colonial’s network, a ransom message was delivered demanding nearly $5 million to regain access. The loss of IT control caused a days-long shutdown that led to a spike in gas prices, panic buying and fuel shortages in certain areas of the East Coast. Colonial eventually decided to pay the ransom and is still recovering from the attack almost a month later. Thankfully the FBI was able to trace the cryptocurrency exchange and recover about 2.3 million of the ransom paid, but the Colonial Pipeline hack still illustrates how vulnerable the IT infrastructure of many companies are and the high cost of that vulnerability being exploited. This is not an isolated incident either; six months ago, a hacker breached a water treatment plant with a former employee’s username and password and threatened to poison the water supply of Northern California.
How do hackers find passwords?
If you are an active person in 2021, chances are you have more than one password in use. In fact, most people have more than 20 different online accounts that all require a password as part of their credentials. 20 passwords is admittedly a lot to remember so most people reuse passwords for different accounts. The problem with reusing passwords is that if one of your accounts is compromised it puts the rest of them, including much more important accounts, in danger. This exact situation may have enabled the Colonial Pipeline attack.
One way that hackers find passwords is by buying them on the dark web. Anytime there is a major data breach, think Facebook (April 2021, 533 million users), Twitter (June 2016, 32 million users), Capital One (July 2019, 100 million accounts), etc., the information is bought and sold on dark web marketplaces. The account’s password that was used to infiltrate Colonial’s network has since been discovered inside a batch of leaked passwords on the dark web. It’s difficult to confirm, but cybersecurity consultants from Mandiant, part of FireEye Inc., who are involved in the forensics of the Colonial hack say that the dark web is the most likely source of the compromised password.
Hackers can find passwords in many other ways. Brute force attacks are automated guesses of billions of passwords a minute until the correct one is found. Key logging is a malware downloaded on your computer that lets hackers watch your keystrokes. Hackers can use deception to manipulate individuals into divulging confidential information in a social engineering attack. Shoulder surfing is the good old fashioned low tech method of just looking over someone’s shoulder as they enter in their password. There are numerous ways that passwords can be stolen, and new ways are constantly being devised by hackers in this authentication arms race.
What does a passwordless future look like?
For years, the response to password attack vulnerabilities has been longer and more complex passwords. Recently the market is moving towards passwordless authentication that is not only more convenient for the user but more secure as well. As an example, using facial recognition instead of a password is one way to achieve passwordless authentication. Other types of passwordless authentication include email-based, SMS-based, and other biometrics.
Security professionals aim to maximize security while minimizing user friction. Passwordless goes hand in hand with this; looking at your iPhone is faster than typing a 6 digit pin and you are the only person in the world with that matching biometric. Passwordless is not MFA. The goal of MFA is to add supporting evidence to a password. The objective of passwordless is to provide technologies that completely eliminate the use of passwords. Simply put, passwordless trusts something that you have (a device, RSA key, email account) or something that you are (a biometric) instead of something you know (a password) that can easily be forgotten or stolen.
Passwordless authentication is a booming field of security. In May 2020, Microsoft proclaimed that more than 150 million people use passwordless login on Windows every month. For now, smartphones lead the way for passwordless adoption. The primary user base for passwordless authentication is remote employees, suggesting that organizations will adopt passwordless solutions faster as we adapt to the new way of working.
As part of this movement toward Passwordless authentication, MACH37 strategically accelerated CySecure as part of its Spring 2020 cohort. CySecure is developing solutions to eliminate passwords entirely - for users and at company servers. The solution is extremely secure, using Public Key Infrastructure (PKI) and digitally verified cryptographically. As organizations increasingly implement passwordless solutions, the field is becoming a hot spot for investors to keep their eye on.