Some Inconvenient Truths About Credentials and Remote Access

Andy Harris

... and how to mitigate remote working risks
In this lock-down period we have all seen a massive growth in virtual private network (VPN) access to our systems. Many of us has seen big changes in the workforce due to furlough and layoffs. I talked about these issues in a recent Osirium webinar.
In general, VPN access is more risky than office based access, and there are some uncomfortable truths about humans and credentials:
- Human generated passwords are at least three orders of magnitude easier to brute force. Here I'm not talking about you dear reader - but all those people in your organisation. They all have a job to do and you ask them to refresh their passwords at the most inconvenient times. So it's no wonder they naturally pick simplistic passwords. And if it's easier to remember, you can be sure it will be in an attacker's dictionary.
- Most passwords are not actually brute-forced. They are simply intercepted in the user's desktop environment. Mostly, this is malware based on browser extensions and plug-ins. There are many key-logger toolkits available on the internet and often malware is customised to individuals. Even if you are using a password vault the credentials will still going through the malware. The vault isn't doing much to protect the credentials.
- Individual Vaults are for individuals not organisations. Never, ever allow your staff to use individual password vaults for corporate accounts. If they leave - the credentials leave with them. You might think it's a pain to reset the passwords on systems and devices, but once someone leaves who have their own sets of credentials, you've got a lot of new pain to deal with. For example, consider VMware 6.0 onwards - if you Google "reset the root password", you'll see it's easier to buy new disks and re-install! Even then, you've still got to worry about migrating the old virtual disks to the new installation.
- VPNs are dangerous because they allow lateral movement. Not everyone just connects to the systems they should. Many prod and poke around. The bad actors will search through your networks in subtle ways. Once everyone is on the VPN, your SIEM logs will look very different, they will be harder to analyse to find the interest content in all the noise. The lateral movement may not be from the VPN, but may use a system within your infrastructure as a launch pad.
- Your staff, or what you think are your staff, are the bad actors. In general, server-based security is on an upward trend. No bad actor will attempt to subvert a bank's servers - it's just too difficult. It's much easier to infiltrate the user environment. Once malware is in the user's environment, it can track their behaviour: when they work, where they go, what credentials they use. Then the malware emulates the user's behaviour - even in a background copy of their own browser to launch probes and attacks. This kind of attack is the hardest to detect since it effectively hijacks both the user's credentials and their behaviour.
- Third parties might not have the same credential hygiene as you. They need to get work done and they will do it with anyone they can. Third parties use third parties - don't be surprised!
Principles
- There is too much VPN access, users should be limited to access only the systems they need. Application based proxies achieve this.
- The user's credentials should only be used to verify identity. Multi-factor authentication should be deployed. Extra factors defeat malware that impersonates a user. Machine generated, long and complex credentials should be used between the proxy and the system, application, or device. These credentials should be automatically refreshed and retired when the accounts are no longer needed. There should be ONLY ONE instance of any identity allowed. A user should not be able to login twice.
- The privileged credentials that are used on the end systems and applications should not be known to the users, these credentials should not even flow through the user's desktop at any point.
The three principles above are a separation of people from credentials, a mapping of peoples identities to roles and the prevention of lateral movement through an IT infrastructure. Simply put, these principles solve all the risks associate with VPN access.
Privileged Access Management in action
In these lockdown times, teams haven't got the time or budget for complexity or long deployment times. Once you have your access sorted, you have time to breathe. Here's what to do to build fundamental security into what you have. Here's an example "before" diagram, where your users arrive at the VPN, and can then get to where they need (and everywhere else):

Here's the "after" diagram with the users getting to the VPN, and then using Privileged Access Management (PAM) as a gateway to create an Identity to Role mapping:

You'll see there are two secure ways into the corporate network: the VPN and direct web access. In both cases you get the identity to role mapping. The web route is particularly suited to third party access - since this way you won't need to provision them with VPN accounts.
We've presented here a fast route to good security, if you'd like to know more about this or other ways to protect your valuable IT infrastructure, please get in touch.