March 28, 2019
Credential Stuffing: Why Password Reuse is not a Good Idea
How do you identify disgruntled employees? At what point do you start monitoring their activities closely? Do your employees have expectation of privacy or does your policy make it clear that all employees’ activities may be monitored?
The recent devastating insider attack at Tesla is a stark reminder of the fact that, as much as employees are an organization’s most critical assets, they can also be the biggest source of danger. In this attack, an employee, disgruntled because s/he was not getting promoted, took law into his/her hands by impersonating a privileged user, making changes to the Tesla manufacturing operation system and exfiltrating large amounts of highly sensitive Tesla data to unknown third parties. Scary, isn’t it?
On a scale of 1 (insignificant) to 5 (severe) for business impact, this has got to be pretty close to 5 for Tesla. Loss of competitive advantage, brand/reputation damage, negative media attention and depressed stock price are some of the business impacts that Tesla will have to confront in the coming days. A quick look at the stock price already shows almost a 5% dip over the last 24 hours:
This may be completely unrelated to the breach, but there’s also a fair chance that it is related. For sure, this is one to keep an eye on.
On the back of this incident, quite a number of cyber security professionals will undoubtedly start asking a lot of questions as to why and how this was allowed to happen. What security controls failed? Why wasn’t this detected on time? Could it happen to us? And so on and so forth. Michael Daly, CTO Cybersecurity at Raytheon summarized this adverse event succinctly by saying “You have an insider threat. You have altered data affecting the factory operating system. You have leaked proprietary data. You have credential theft. And you have it all, apparently, at the hands of a disgruntled employee.”
Based on this statement, nuanced conversations can begin around failures of controls. Is heightened monitoring in place for privileged accounts? Does file integrity monitoring capability exist? Are data protection controls like leakage prevention, encryption and rights management in place? Can a credential harvester cause any damage because the harvested credentials are reusable?
Turns out least privilege isn’t dead, and its sibling, Just-In-Time Provisioning, is well and truly alive!
As they say, hindsight is 20/20. In fairness, it is definitely easy to talk about what Tesla could have done better in this instance. The fact is, every organization is susceptible to a devastating insider attack – especially if the attacker is willing to commit career suicide just because they’re not getting what they think they deserve. With that said, it is also possible to significantly reduce the likelihood of success of this type of attack. The primary requirement here is that cyber security leaders within organizations must be willing to go the distance whilst not being scared to be wrong in pursuit of the right cause.
This incident is hot off the press therefore more details about what actually transpired (i.e. anatomy of the attack) will still emerge. Nevertheless, we already know enough about it to start solving a major cyber security problem, i.e. what are the key risk indicators (KRIs) of a disgruntled employee becoming a major source of cyber danger?
If you’re still riding your luck, good luck! But the time might be right to take a step back, play out your top 5 “No No” incidents and put in place countermeasures that are capable of reducing your inherent risks to acceptable level.