One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations of all types and sizes, it was feared that cybercriminals would one day target the public infrastructure and attempt to sabotage the utility services. The cyberattack on the control systems at a water treatment plant in Oldsmar, Florida, has come as a rude shock.
On Feb 5, a hacker remotely accessed a computer (hosting water treatment control system) being used by an operator at the Oldsmar city water treatment plant. The hacker had remote access for about 2-3 minutes, during which he raised the levels of sodium hydroxide in the water from about 100 parts per million to 11,100 parts per million. However, the vigilant operator noticed it and promptly reverted the settings, thus averting a disaster. Apparently, the hacker had gained unauthorized access to the water treatment control system through the TeamViewer application used by the plant’s operators.
Though the FBI and other enforcement agencies are conducting an investigation and exact information about the cause of the incident is yet to be ascertained, security researchers, quoting various authorities and sources, have opined that lax security practices have caused this attack. Specifically, they allege that:
Whatever be the actual cause, the fundamental issue boils down to unauthorized remote privileged access to a critical system.
We witness a variety of attacks day in and day out and see hackers adopting innovative tactics. No doubt, the threat landscape is continuously (and rapidly) evolving. However, we do see a repetitive pattern in the attacks. The involvement of stolen credentials and misuse of administrative access are increasingly reported in many attacks. The attack on the control systems of Oldsmar city water treatment too seems to be falling under this attack pattern.
Cybercriminals are always on the lookout for administrative credentials. Many times, attackers don’t actually hack into networks; they simply royally walk-in using stolen, weak, or compromised credentials freely available on the dark web. They follow a few other simple techniques such as phishing emails to deliver malware and gain a foothold on machines. Known vulnerabilities that remain unpatched make their job easy. They then proceed to capture administrative credentials from hashes or through keystroke loggers and move across the network and finally perpetrate the attack by exploiting privileged access.
Combating cyber-attacks certainly requires a multi-pronged strategy. Many organizations concentrate on deploying sophisticated and advanced security arsenal but lose sight of the fundamental measures. If there are holes in the foundational elements, it becomes a cakewalk for hackers to grab the low hanging fruits.
Some of the most neglected security fundamentals include:
Lack of these measures has led to some of the worst data breaches in recent times. Of these, poor password hygiene is perhaps the most notorious factor.
Reusing the same passwords across multiple resources is a recipe for disaster. Yet, this practice goes unchecked in many organizations. It is quite common to see the same passwords assigned to multiple IT assets; developers reusing passwords across their personal and work accounts; passwords on spreadsheets circulated across departments; a departing IT staff exiting with a copy of all the credentials, and similar practices.
When developers reuse passwords, a compromise of one of their personal accounts gives hackers easy access to corporate data. Uncontrolled or unmonitored access often leads to exploitation by malicious insiders. Weak security practices and vulnerabilities in the supply chain lead to breaches upstream.
When IT divisions enforce certain practices, end users come up with exemption requests or find ways to circumvent the process. Citing work priorities, users raise requests for relaxation when passwords are to be changed, when MFA takes force, when maintenance is due, when a monitoring system needs to be deployed, or when a scan is to be done.
The Florida water plant hack underscores the importance of basic security measures. Strict adherence to basic security principles could have probably helped avert this incident.
Not all security incidents can be prevented - there is absolutely no magic wand or a silver bullet available yet. But by concentrating on the basics, IT departments can undoubtedly prevent a good number of attacks.
This is a wake-up call. IT divisions should review the measures in place to ensure security basics like checking ‘who’ has access to ‘what’; monitoring the systems exposed to the internet; keeping the infrastructure in top shape with timely patching and updates; controlling access to sensitive systems; ensuring that security controls are not relaxed or bypassed; and adopting password hygiene. This may sound too obvious but in reality, much neglected.
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Apr 01 · 6 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Mar 13 · 6 min read