Breaches – As American as Baseball and Apple Pie
Major League baseball personnel from the St. Louis Cardinals borrowed a tried and true attack vector to hack into the Houston Astros application called Ground Control. One difference with typical attacks that emanate from stolen credentials was that the Cardinal personnel didn’t have to purchase or phish user names and passwords. While there’s never an excuse to commit a crime, one can argue that the Astros made it just too darn easy. Here’s the story.
According to articles in the Wall Street Journal and New York Times, Mr. Jeff Luhnow, now Houston Astros’ General Manager, left the St. Louis Cardinals in 2011 and created a similar application to the one he used in St. Louis designed to house baseball operations information including scouting reports and player statistics. In St. Louis the application was called Redbird and in Houston it’s known as Ground Control. A key fact is that in addition to himself, Mr. Luhnow also took some front-office personnel with him from the Cardinals.
As quoted in the article in the New York Times, “investigators believe that Cardinals personnel, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.” So that’s it. Mr. Luhnow and colleagues didn’t exercise good (or any) credential hygiene after they went to their new employer. Even inside an organization typical policies call for changing passwords every 90 days or so. Leaving one organization to go work for a competitor ought to represent a greater risk factor and call for the use of different passwords than used in the company of your previous employ.
The irony is that Mr. Luhnow is a well-known proponent of statistical analysis of a multitude of player capabilities. He’s one of these guys who studied “Moneyball” analytics and based on his success with the St. Louis Cardinals and now the Houston Astros (49 wins, 37 losses, top of their division) it’s evident his formulaic approach to potential player success is working. In other words, he’s a very smart guy.
The question then is this: Why do smart people from organizations including the Houston Astros, Target, the IRS and more become victims of credential theft-related breaches of their sensitive applications and infrastructures?
As much as the game of baseball has changed, so has access security. The new security paradigm includes measures that used in conjunction would very easily have prevented this particular attack. It’s no longer effective to think that old perimeter-focused solutions will suffice. The fact is credentials will be stolen, or in this case, practically given away. And once inside networks, without micro-segmentation to limit what users can access when they are authenticated, these types of stories will continue to make headlines. Using open, departmental VPNs is just not an effective solution anymore.
An effective security solution should be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. And it should be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly, and ultimately block access according to the level of risk.
No one should have open access to systems and applications. Users should only be able to access the resources necessary to perform their job. By obfuscating all other resources it also limits damage in case of credential theft by preventing malicious users from exploring parts of the environment.
Comprehensive logging and reporting also play a key role. Organizations should strive for complete visibility of how every employee and contractor account is used, and be able to respond to suspicious activity at the earliest convenience.
Just as the use of statistical data analysis has changed the game of baseball, the paradigm shift in access security has resulted in the introduction of an access solution that dynamically creates a ‘segment of one’ between the user and the network resource they are entitled too. It also changes network access based on the context the user is in including the user’s location, device, OS, patch-level, time of day, virus protection and other factors.
Is it time to change your game and learn more about dynamically segmenting your network?