Where Penetration Testing Fails: Bad Privileged Access Management (PAM) Makes Firewalls Useless

I Remember When All Hell Broke Loose this Summer

I live in Atlanta GA, and I’ve seen a copious amount of crazy living here the past few years, but May 8th this year had some ludicrous sights at the gas station down the street from me. 

Now, I had that whole week off to myself as I had just finished a client project, so some downtime was in order. I make it a policy to disconnect when I take time off, and the news was the last thing on my mind, so I had completely missed what happened with Colonial Pipeline in the days that came before it, and what was happening at gas stations all over my city. 

Now, imagine my surprise when I hopped in the car to grab some groceries, only to find that there’s a line of cars, trucks with multiple gas cans, and a legitimate doomsday prepper vibe in the air as I watched people argue and fight over gas once I get to my local gas station. Needless to say, I turned around and made a beeline for the grocery store, rationalizing that the orange fuel alert symbol on my dash would carry me back and forth at least one trip and that my wife would come home with SOME gas in her SUV. 

The News Made the Issue Mostly Obvious

Specifics about my position aside, I cued up the news when I got back home and saw all the then-current details about the colonial pipeline hack, and I can’t say I was surprised. When they said that a whole pipeline was defunct because of a cyber-attack, my first thought wasn’t about a super-skilled hacker like you see in the movies that can brute force firewalls and security controls from a keyboard and a closet in Russia. My first thought was that someone overlooked Privileged Account Management (PAM) in a big way, and a group was able to acquire an account and password with high enough privilege to jump into a highly secure environment like it was nothing. 

A few days later, reports came out that it was in fact a credential leak and compromised password, as well as a legacy VPN with no Multifactor in front of it that allowed network access to that Privileged account. According to Bloomberg reporting in June though, it looks like it was an Employee Account that was breached and used to enter the environment, which I would assume means that the Employee Account had the necessary access to either access multiple systems integral to Colonial’s business, or that the account was a part of an Admin group that has access to more Privileged Service Accounts, which would explain why they decided to shut the whole thing down while the issue was resolved. 

The Solution to this Kind of issue isn’t just VPN Control and MFA, it’s Identity Governance and Privileged Account Management

Regardless of which scenario played out, in this situation, PAM tightly tied to an Identity Governance and Administration (IGA) system that tracks user privileges and scores access rights on a risk scale would have greatly mitigated the risk they faced. 

When accounts of any kind accrue additional privileges in an environment, allowing for accesses and rights in multiple systems critical to a business, they should be automatically assigned elevated risk scores in the IGA system, and alert Identity administrators so they can either review the account and decrease its privileges, or enroll the account in a Privileged Account Management System that puts controls on those accounts appropriately.

What this does, for both Service Specific and User-specific accounts with High Privilege is put that account under scrutiny with every use. This means:

  • Session recording any time these accounts are used
  • Random password used every single time the account is needed for use, drawn from a credential vault that creates a strong password in the PAM system and temporarily writes that password to downstream systems like Active Directory to provide access to other systems with that password
    • After the user session is over, it would reset the password again, and constantly rotate them in this manner to prevent any one password from being a risk to the organization. 
  • Alerts to Identity Admins about the usage statistics for privileged accounts being used for longer than the normal, or flagging activities that are beyond the norm for that account in general

Bagging on Colonial wouldn’t be fair, this happens far too often throughout the industry

Now, please understand, Colonial isn’t some unique victim here, they are just the most recent. This happens frequently, with multiple different businesses in different business verticals that don’t invest in Identity Governance and PAM.

Firewall security is Sexy, and it gets a lot of attention, so providing employees and customers with access to systems quickly at the speed of business sometimes takes the priority overdoing it with Identity Security built into the framework of the program. This is a VERY common mistake, and until CIOs and CISOs make Identity a priority at their organizations, specifically Privileged Identity Management and Identity Governance, Security organizations will continue to be at risk for a cyber threat. 

Our clients will attest to the fact that when they work with us our first questions are what they do to manage high privilege accounts, regardless of what they leverage us to do in the first place because it is such an important part of security that many just don’t think about. It is our primary focus everywhere we go, because it is the basis for security as a whole at an organization that removes an extremely large target off the backs of hard-working people and organizations that don’t deserve to pay multi-million dollar ransoms. 

©RAAH Technologies 2024. All Rights Reserved.