This weekend, I had some free time (with a new born baby in the house that’s not a natural thing) to watch a movie, and I picked a new documentary called Zero Days, which is a very interesting documentary focused on the Stuxnet malware that was first identified in 2010. It’s believed that Stuxnet was built to destroy a key part of an Iranian nuclear facility but, in the end, network systems in approximately 155 countries were infected by the virus.
The official name for Stuxnet is thought to be ‘Operation Olympic Games,’ so, with the Olympics now going on, this all got me thinking about how approaches to security have changed – and how they haven’t – in the last several years.
The goal back then was to infect programmable logic controllers (PCL) that were not connected to internet. PLC systems are often not connected from the internet because of the severe impact any infection would have on the functions they control. Stuxnet often infected PLC networks through the traditional USB stick.
USB memory sticks aren’t used quite as much now as in 2010. So, this mode of infection wouldn’t be quite as efficient today as in 2010. However, one thing has stayed the same: people. Then and now, systems are breached because people can’t be trusted.
Even when there is a solid security policy in place, you see people trying to cross the line.
Does the Olympic committee have a solid security policy in place in managing their overall security? I trust that the Olympic Committee has good and very professional trusted IT partners that understand their job. I don’t want to comment on that.
But in general, you see old habits with every human being. And what’s the weakest link for humans around IT security? Remembering passwords! I still see that many MSPs and IT departments don’t have a solid password management policy in place. It’s very hard to have a solid password policy in place because people don’t want to change passwords that much, especially because the number of passwords you need to remember is growing. And it’s only becoming more and more difficult.
So, why don’t we make this easier with tools that automate the process and make it virtually unnecessary to bother or to worry about this as a user or sysadmin? So that the only thing we need to remember is a 6- or 8-digit pin, have a soft-token on our phone and we are done! We now have completely removed the hassle of remembering passwords.
But this can’t be done by only having a password solution in place. You need to have a solution in place that can organize three things: multi-factor authentication (MFA), single sign on (SSO) and a password ‘vault.’
Let me explain this a little more into detail.
- MFA is the process of knowing something (a PIN) along with having something (the one-time password (OTP) from the smartphone) that uniquely identifies a user. You can equate this to how you take money out of the bank. You have to know your PIN, and have your bank card. Without both, you cannot access the money in your bank account. Without the user PIN and OTP (which changes every time it is used), a user can never log into company resources.
- SSO: SSO lets users log into web applications and websites without needing to know another password, or where to go to login. In addition, SSO usually enables a user to access this capability from virtually any device, without the need for special software or browser extensions. Working together with a MFA system simplifies life for the user even more, as they use the MFA system to log into a portal where all allowed applications, websites, RDP sessions or more are presented.
- Password ‘vault’: And then finally, all passwords can be centrally stored, managed, audited and controlled (along with information on the users who use those passwords) in a single place. With this centralized location, admins can now automate the management, synchronization and changing of these credentials, regardless if the ‘vault’ is maintained on-premises or in the cloud.
And, with the above capabilities, you have taken the first basic step in making your IT environment a lot safer. Even better, working like this makes it a lot easier for companies to maintain compliance of regulations HIPAA, PCI, CJIS, SOX or GLB.
Of course, with malware, ransomware, and cryptolockers only getting worse, you still have to have to do more. This means not only using intelligent antivirus/anti-malware security scanning solutions, it also means having a solid backup plan in place. Don’t get lazy on these items!
And make sure that to automate your backups – even the process of checking that backups have been done successfully! But maybe more on that in my next blog.
Enjoy the Olympic Games. The real Games, of course – not the malware.
Want to learn more about password management? Check out this security playbook.