VPN and Virtual Desktop Security: How Going Passwordless Could Have Prevented the Colonial Pipeline Attack
Colonial Pipeline Attack: An Identity Management Nightmare
You’ve probably seen the latest authentication and identity management nightmare sweeping the US: the Colonial Pipeline attack. In case you need to catch up, here’s a brief review of the timeline: the Colonial Pipeline shut down operations after a ransomware attack last weekend. This left the East Coast of the United States in a gasoline shortage. Since then, the pipeline has resumed operations, but it will still take several days for the product delivery supply chain to return to normal operations.
What was the first step of this ransomware attack? The hackers stole a password. According to a FireEye report about the Colonial Pipeline Attack, “the threat actor appeared to obtain initial access through corporate VPN infrastructure using legitimate credentials.”
What’s the significance of this? A passwordless solution would have made this type of attack virtually impossible.
The reality about VPN access and Virtual Desktop authentication
Does using a VPN actually protect you from cyber-attacks? In actuality, it does not, because if the employee needs to enter a username and a password for VPN and/or virtual desktop authentication, the company is at risk of a cyber-attack. If user data is stored in a centralized repository, then the cybercriminal feels like a kid in a candy store.
Passwords (and authentication systems that use them) expose systems to cyber-attacks
To be frank, passwords are obsolete because hackers have access to inexpensive technology that cracks them in no time. Anyone can buy the needed tools on the Dark Web for a fraction of a Bitcoin. Two-factor authentication (2FA) and multi-factor authentication (MFA) solutions are far less secure than their vendors want to admit.
With only 2FA, an individual’s passwords, which is the first authentication factor, can be stolen. You can guess what happens with the second authentication factor if an employee clicks on a phishing link.
There are 2FA solutions that involve basic biometrics as a second factor of authentication, but Touch ID and Face ID do not identify the person using the phone (you can have multiple fingers/faces registered).
Hackers are seasoned criminals and they can set up or reconfigure two-factor authentication to keep the real account holder out of his or her own accounts. Employing “real” biometrics such as face or iris scanners is cumbersome and expensive – thus why they are almost never in use for remote workers, until now.
Does bulletproof authentication even exist?
Spoiler alert: Yes it does, and it is passwordless, but there cannot be bulletproof authentication without an indisputable identity proofing process beforehand that ultimately leaves no room for uncertainties concerning the employee’s identity.
Indisputable identity proofing must involve the triangulation of a user claim (photo ID, physical address, for example) with government-issued documents (driver’s license, passport) and multiple sources of truth (bank account, email and physical addresses, passport RFID chip, credit cards, loyalty programs, etc.), including advanced biometrics, like a liveness test.
Government-issued documents, sources of truth and advanced biometrics operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to access a system or a service online.
This degree of identification reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL2. 1Kosmos’ BlockID is the only passwordless solution on the market at the moment that focuses on indisputable ID-proofing to reach IAL2.
What more is required to eliminate identity compromises?
The communication between a user and a VPN access or virtual desktop solution is encrypted. But what about the identity information used to authenticate? It is most likely stored unencrypted in a centralized database, which is supported by legacy software, and that operates with numerous single points of failure, making the whole infrastructure a high target for hackers.
The only alternative to a centralized system is a decentralized system, with the user data stored encrypted on a private Blockchain, which among other benefits is impervious to cyberattacks. With a Blockchain network, most domestic and international guidelines on transparency, privacy rights, and data security are being respected and followed.
1Kosmos stores user data, including their biometrics, encrypted on a private Blockchain to ensure their integrity at all times. Of course, like with any Blockchain, the key for user data is kept with the user, which means only they can authorize its access.
To conclude
No employee, customer or citizen wants to have his personal and financial information for sale on the Dark Web and endure the consequences of identity theft. No business should risk being the target of a cyberattack because the consequences can be disastrous: gas shortages, loss of credibility, market share, and plunging stock price, among others. BlockID by 1Kosmos eliminates identity compromises. Feel free to contact me to continue the discussion.