Like many other software supply chain attacks, the Kaseya attack started with managed security service provider (MSSP) Kaseya being hacked and their trusted connections to their client base were leveraged to propagate ransomware that locked up numerous accounts and wreaked havoc on thousands of computer systems. A major supermarket in Sweden had to close its stores and turn away families trying to buy food, because they could not operate their Point of Sale (POS) systems.
A white paper published by the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the US Department of Homeland Security, and NIST entitled Defending Against Software Supply Chain Attacks, April 2021, describes a software supply chain attack as follows, “A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.
The white paper further describes this mode of attack as, “newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.”
The widely quoted statistic above from the Verizon Data Breach Investigations Report (2021) does point to compromised passwords being one of the largest vulnerabilities that expose a large attack surface. Looking at another source, the LexisNexis Risk Solutions Cybersecurity Incidents Report, for the full year 2020, there was a 280% increase in account takeover (ATO) attacks as cybercriminals leveraged the COVID influenced increase in remote transactions. Automated bot attacks grew to an astounding 2.1 billion attacks during all of 2020 with the majority leveraging compromised credentials to complete their attacks.
Cybersecurity experts usually gloss over the details of the compromised credentials portion of any software supply chain attack. There is always more emphasis on what took place after the initial entry. Was it a low-level entry point like a source code repository? Was the malware uploaded into target systems using code or scripts as the vehicle for transport? Or did the attackers figure out how to exploit a specific vulnerability in the OS or command line structure? Did they elevate privileges and execute commands to propagate ransomware across business or operational networks? These are all ways in which attackers can wreak havoc in the targeted enterprises.
It is important to peel back the layers and understand how a particular incident started. Stolen passwords, misuse of PKI encryption certificates, poor password hygiene at the third-party service provider’s organization, purchasing username password lists on the dark web, are all methods used by cybercriminals to mount an attack.
In response to growing cyberattacks organizations are now evaluating their policies related to passwords and coming to terms with the realities that they must face. Here is what the security experts were telling us to do and why it dd not prove effective:
According to HelpNetSecurity magazine, only 23% of employees in enterprises adopt password management due to UX issues.
The short answer is yes. Many supply chain attacks that originate from compromised credentials can be prevented simply by eliminating passwords and shared secrets. No credentials to steal and nothing to compromise. Passwordless authentication has moved beyond just a promise as the next generation passwordless solutions. The adoption of passwordless when it first appeared on the horizon was slow. However, with the sharp increase in credential-based attacks and the growing cost to manage passwords, IT organizations have started adopting passwordless authentication solutions.
Passwordless authentication eliminates the need for users to remember or recover passwords to access (login to) their information systems. Unlike Windows Hello for Business, Apple TouchID and most MFA solutions, TruU is fully passwordless, from applications to servers to desktop/endpoint access. Organizations cannot achieve the security benefit of passwordless unless the end user is fully freed from having to remember the password at any point in their day. TruU enables employees to use their smartphone and FIDO keys in some cases, to access all logical and physical resources encountered in their day.
FIDO solutions ensure that the person who enrolled a key or smartphone is the person that later accesses a resource, but with email being the source of that enrollment, the possibility exists for impersonation. TruU goes a step further in its enrollment options to ensure identity is proofed and highly verified at the time of employee onboarding. This ensures that John Doe is truly John Doe at the time of enrollment into the passwordless system.
In addition to passwordless access to information systems, TruU enables organizations to offer their users the same secure experience via badge-less physical access to corporate facilities, critical infrastructure, and the most complete list of IT assets.
Software supply chain attacks have garnered a lot of attention recently. This is particularly true since they can be leveraged to deliver ransomware into multiple organizations at the same time, multiplying the overall adverse impact. Eliminating passwords will not completely end software supply chain attacks, however reducing one of the largest attack surfaces by ridding the world of compromised credentials will certainly make a huge dent in their effectiveness.
TruU passwordless identity platform can help start you on a journey to provide your organization a completely secure authentication platform with a frictionless user experience. Please contact us to get started.