logo
logo

Our Blog

How to Prevent a Cybersecurity Breach from a Former Employee’s Account

    Cybersecurity breaches are a serious threat to any organization, especially when they involve former employees’ accounts. A recent CISA advisory revealed that a state government’s network was compromised by an ex-employee’s admin account, which allowed unauthorized VPN access. This incident highlights the importance of securing credentials, implementing MFA, auditing access, segmenting privileges, and tightening Azure AD settings. In this blog post, we will discuss the key takeaways from this breach and how you can prevent it from happening to your organization.

    Credential Security

    The first lesson from this breach is the criticality of securing credentials, especially for accounts with extensive access. The breach was facilitated through credentials obtained from a separate data leak. This means that the attacker was able to use the same username and password combination for the ex-employee’s admin account as for another account that was exposed in a different breach. This is a common technique known as credential stuffing, which exploits the fact that many people reuse the same passwords across multiple accounts.

    To prevent credential stuffing, you should enforce strong password policies for your users, such as requiring a minimum length, complexity, and frequency of change. You should also monitor your accounts for any signs of unauthorized or suspicious activity, such as failed login attempts, unusual locations, or devices. Additionally, you should use a password manager to generate and store unique passwords for each account, and avoid reusing passwords across different platforms.

    MFA Is Essential

    The second lesson from this breach is the necessity of Multi-Factor Authentication (MFA) for all privileged accounts. MFA is a security measure that requires users to provide more than one piece of evidence to verify their identity, such as a password and a code sent to their phone or email. MFA adds an extra layer of protection against credential stuffing, phishing, and other attacks that rely on stealing or guessing passwords.

    The compromised accounts in this breach lacked MFA, which made it easier for the attacker to gain access. If MFA had been enabled, the attacker would have needed to obtain the second factor of authentication, such as a code or a token, which would have been much harder to do. Therefore, you should enable MFA for all your accounts, especially those with elevated privileges, such as admin, global admin, or service accounts. You should also educate your users on the benefits and best practices of using MFA, and provide them with the necessary tools and support to set it up.

    Access Hygiene

    The third lesson from this breach is the importance of regular audits to deactivate unused accounts, particularly those of former employees. Unused accounts pose a significant risk to your network, as they can be exploited by attackers or insiders to access sensitive data or resources. By deactivating unused accounts, you can reduce the attack surface and limit the potential damage.

    The breach in this case involved an ex-employee’s admin account, which had not been deactivated after the employee left the organization. This account had extensive access to the network, including the VPN, which allowed the attacker to bypass the firewall and access internal systems. To prevent this, you should have a clear and consistent process for deprovisioning accounts when employees leave or change roles. You should also conduct regular access reviews to identify and remove any accounts that are no longer needed or authorized.

    Privilege Segmentation

    The fourth lesson from this breach is the need for implementing the principle of least privilege and creating separate admin accounts for different environments. The principle of least privilege states that users should only have the minimum level of access required to perform their tasks, and nothing more. This minimizes the risk of unauthorized or accidental actions that could compromise the security or integrity of the network.

    The breach in this case involved an admin account that had access to both on-premises and cloud environments. This account was used to access the Azure AD portal, where the attacker was able to create new accounts, assign roles, and reset passwords. This gave the attacker full control over the cloud environment, which could have led to data exfiltration, ransomware, or other malicious activities. To prevent this, you should create separate admin accounts for different environments, such as on-premises, cloud, or hybrid. You should also limit the scope and duration of these accounts, and monitor their usage and activity.

    Azure AD Settings

    The fifth lesson from this breach is the importance of tightening the default Azure AD settings and understanding the implications of Global Administrator rights. Azure AD is a cloud-based identity and access management service that provides single sign-on, multi-factor authentication, and other features for your cloud applications. However, Azure AD also has some default settings that can inadvertently provide threat actors with opportunities to access sensitive information and escalate privileges.

    The breach in this case involved the use of the Global Administrator role, which is the highest level of privilege in Azure AD. This role grants access to all administrative features in Azure AD, including creating and managing users, groups, domains, roles, and policies. The attacker was able to assign this role to a new account that they created, and use it to access the Azure AD portal. To prevent this, you should limit the number of Global Administrators in your organization, and use other roles that have more granular permissions. You should also review and modify the default settings in Azure AD, such as password expiration, self-service password reset, and guest user access.

    Proactive Measures

    The sixth lesson from this breach is the value of proactive measures to enhance your security posture. After discovering the breach, the state government took several actions to contain and remediate the incident, such as resetting passwords, revoking elevated privileges, enabling MFA, and conducting access reviews. These actions helped to mitigate the impact and prevent further damage.

    However, these actions could have been taken proactively, before the breach occurred, to prevent or deter the attack in the first place. By implementing these measures as part of your regular security practices, you can significantly improve your security posture and resilience. You should also conduct regular security assessments, audits, and tests to identify and address any vulnerabilities or gaps in your network.

    Awareness of Default Permissions

    The seventh and final lesson from this breach is the need for awareness of the permissions and roles assigned by default in cloud environments. Cloud environments, such as Azure, offer many benefits, such as scalability, flexibility, and cost-efficiency. However, they also come with some challenges, such as complexity, shared responsibility, and increased attack surface. Therefore, it is essential to understand the permissions and roles that are assigned by default in cloud environments, and how they can affect your security.

    The breach in this case involved the use of the default User role, which is assigned to all users in Azure AD. This role grants access to basic features, such as viewing their own profile, changing their password, and consenting to applications. However, this role also allows users to join devices to Azure AD, which can create a security risk. The attacker was able to use this feature to join a device to Azure AD, and use it to access the VPN. To prevent this, you should disable the default User role, and create custom roles that have more restrictive permissions. You should also review and modify the default permissions for devices, applications, and resources in Azure.

    Conclusion

    This breach serves as a stark reminder of the ever-evolving cybersecurity landscape. We must stay vigilant, continuously update our security practices, and educate our teams on the importance of cybersecurity hygiene. By following the key takeaways from this breach, you can prevent a similar incident from happening to your organization.

    Do you agree with these takeaways? Do you have any questions or comments? Let us know.

    Ready to take the next step?

    Contact Us Today

      Prev Post
      Cybersecurity breaches are a serious threat to any ...
      Next Post
      Cybersecurity breaches are a serious threat to any ...

      Solutions

      Information Security Consulting

      Managed Security Services

      Identity Management

      Access Management

      ISO 27001 Implementation

      ISO Dip Stick Offer

      Enterprise Sec Roadmap

      Information Security Audits

      Network Security Audits

      Vulnerability Assessments

      Penetration Testing

      Industries We Serve

      Banking & Finance

      Government

      Energy & Utilities

      Telecom

      Healthcare

      Manufacturing

      Retail