Mitigating the risk from compromised federal credentials – a Q&A with Tripwire’s Ken Westin
The federal government is still reeling from a recently-exposed cyber attack that compromised the personal data of as many as 14 million government employees and has now stopped all government background checks for up to a month. And now, there may be even more bad news.
In a recent report released by real-time threat intelligence company, Recorded Future, they claim that login credentials for 47 disparate United States government agencies across 89 unique domains have possibly been exposed – leaving the agencies open to data breaches from a wide universe of bad actors. According to the report:
“As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication. The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.”
To get a better understanding of how these credentials are being stolen and what kind of impact this theft can have on the security of federal networks, we sat down with Ken Westin, a senior security analyst at security solution provider, Tripwire.
Access Granted: The Recorded Future study claims to have found credentials for 47 government agencies all over the Web. How were these credentials compromised? Where are these coming from?
Ken Westin: Although we often hear about the big data breaches, there are constantly a number of smaller breaches that occur. The “.gov” email addresses were not necessarily part of a government specific breach, but also a large number of generic breaches of non-government services such as news websites, forums, online retailers and other services, where government employees have used their “.gov” email address to register for accounts.
The problem is that many times employees use the same passwords for these services that they might use for government networks, which – of course – puts them at risk. Many consumer-focused websites and services fail to adequately encrypt passwords and so the passwords are exposed for these users.
Access Granted: When discussing these compromised and exposed credentials, you commented on the fact that many of them were most likely no longer valid. If that’s the case, can they still be a threat?
Ken Westin: For many of the larger breaches, they made enough noise in the media that government IT administrators noticed that specific accounts were compromised and could reset passwords for them. Most of the accounts compromised in these breaches and posted on Pastebin and other sites, have had their passwords reset as a result.
However, this is not always the case with some of the smaller, lesser known breaches where data is not publicly posted, but instead sold in underground markets, or utilized in specific targeted campaigns and only shared within a group of attackers.
Access Granted: What do government agencies need to do to reduce the amount of credentials being compromised? Is it a matter of improving cybersecurity hygiene among government employees, or are other steps necessary?
Ken Westin: There are a lot of government agencies that could be doing better to educate and enforce security policies amongst their employees, particularly around the use of agency emails and enforcing strong password policies. Together, these two factors would go a long way to mitigate the risks associated with having accounts exposed on the broader Internet.
However, government agencies and employees should not rest there, if a group is targeting a particular agency they will target individuals in that agency and will look for more than “.gov” email addresses. They will also look for personal emails and social media accounts. Government organizations can also deploy two-factor authentication and other controls to make it more difficult for attackers to use simple email and password authentication to compromise accounts.
Access Granted: In addition to continuous monitoring of internal networks, you’ve also advocated persistent external monitoring of sites that host compromised emails and credentials. How can organizations do this effectively and efficiently? How can this help them mitigate future attacks?
Ken Westin: There are a number of both commercial and open source tools that can be used to gather open source intelligence (OSINT). Many of these tools have been used traditionally to monitor a “brand”. However, over time these can be expanded to be another form of threat intelligence organizations can use to monitor what hacktivist groups are saying about a company, and identify potential leaks of emails or targeted campaigns against an organization.
Monitoring activity in Pastebins and breaches using free tools and APIs like https://haveibeenpwned.com/ is a good first step, and some of the commercial providers go into much more depth in harvesting, categorizing and pruning their data. It’s often better for high-profile organizations to utilize these services to help them with monitoring.
Access Granted: What role can multi-factor authentication play in this situation? If agencies and organizations are utilizing MFA, wouldn’t these compromised credentials essentially be useless?
Ken Westin: A great deal actually — by requiring more than just an email and password, organizations go a long way toward protecting their network and data.
The barrier for these services traditionally was cost and challenges with deployment, but costs for these services have come down considerably and deployment has become much easier as well. That said, it will still require substantial resources to deploy across an organization.
Ken Westin is a Senior Security Analyst at Tripwire and an experienced security researcher and analyst. He has worked with law enforcement and journalists to uncover organized cybercrime rings with a special focus on incident detection, forensics and threat intelligence. His technology exploits, and commentary, have been featured in Mashable, Forbes, New York Times; and he has been regularly interviewed on Bloomberg TV and Portland’s KGW and KATU . Ken is an avid mobile privacy advocate and founder of mobileprivacy.org. Ken was named in Portland Business Journal’s 2013 “40 under 40” and is a frequent speaker at Security BSides events and Toorcamp.