In May this year, criminals performed a successful cyberattack on a large US organisation called Colonial Pipeline. Colonial Pipeline supply oil (or gas in the US) to 45% of the eastern seaboard of the USA. As a result of the attack, the company was forced to shut down it’s supply of gas entirely. This was the first time in the 57 year history of the company that they were forced to do so.
We blogged about this story when it broke – read that coverage here.
It took a few days to resolve the cyber incident and bring systems back online. During that time the public responded to the lack of gas with panic, and people started hoarding gas in any type of container they could, including plastic bags. The end result of this was extremely dangerous for everyone. The public reputation of the company was also severely damaged.
Initially it was thought that the hackers had gotten into their systems via unpatched servers. However, since the attack, investigations have revealed how the criminals hacked into the environment. First, they found one user’s account and password on the dark web. That account was no longer in use but was still active (most likely a user that had left the company). With this information, they tried various methods to gain access to the organisations network remotely. They discovered that they could VPN in as that user, and from there had full access to the resources within the corporate network to conduct their criminal activities.
The investigation also revealed that there was no 2-factor authentication on that user’s account. This alone would have prevented the credentials from accessing the network, and stopped the criminals.
So – what should business owners and IT Admins learn from this case?
Two key things could have stopped this attack.
- ALWAYS disable user accounts for users that have left. Have it part of your user exit procedure to not only disable the account, but change the user’s password to something random. In addition to that, conduct a periodic review of all accounts to ensure that only valid accounts still have access to your network.
- 2 Factor Authentication should be absolutely mandatory for all access to company resources. It’s an extra step for users to be able to access the system, but it will help protect the business from users that use the same password on multiple sites.
Do not underestimate the flow on effect of a hack of your organisation’s IT systems. Consider not just the direct loss of business that would occur but also the effect on the wider community if you were involved in a cyber attack.
If you’d like to discuss these concepts further, let us know. We’d be very happy to help you better protect your network environment.