Why are North Carolina gas prices close to $3.00 a gallon as I release this blog?
Some might say it’s the Colonial Pipeline ransomware attack.
But based on a recently published Newsweek story, I think we can answer that question even more specifically. The fact is, gas prices have skyrocketed because Colonial Pipeline had “an unprotected VPN account.”
Yes, we now know that a virtual private network (VPN)—something your business perhaps relied on during the pandemic—was the Achilles’ heel of the Colonial Pipeline fiasco.
Here’s a snippet from the Newsweek piece:
“The criminal gang…gained access to the Pipeline’s system through an unprotected VPN account that had been set up to allow employees to access the company’s computer networks remotely, according to an interview Charles Carmakal, senior vice president at the security firm Mandiant gave to Bloomberg. He noted that the account was no longer in use by an employee, but was still active and accessible to the hackers.” [Emphasis mine]
For business owners like the ones I interact with, I want to point out a few takeaways from this incident (besides the obvious reality that everyone should keep a can of gas for emergencies like this!).
Here are some observations…
1. Security tools only work if they’re set up correctly.
When you think of a VPN, you think of a tool that’s supposed to keep your network safe from hackers, right?
Yes, a VPN can prevent cybercrime. However…
A cybersecurity solution doesn’t automatically mitigate your risk. Security mechanisms must be set up correctly (and maintained) to be effective.
This principle is true for data backups, antivirus software, and other tools that IT professionals implement.
For example, a firewall is designed to protect your network. But if you use a firewall with its default username and password, your cybersecurity is quite vulnerable. All it takes is a quick Google search to find these credentials and break into your network. A faulty setup will render your firewall completely ineffective.
2. Remote work, done carelessly, can introduce risk.
I’d like to point out another issue with this incident—especially in the aftermath of COVID-19: There was a remote-work element in play.
The fact that Colonial Pipeline had a VPN wasn’t unusual. Aren’t most companies using technology to accommodate offsite workers these days? And a VPN is generally considered a protective measure.
However, this was a case of remote work done carelessly.
Colonial Pipeline used “an unprotected VPN account.” In other words, the organization created a way to accommodate offsite workers, but whoever was responsible hadn’t implemented that solution well.
Is your team using work-from-home (WFH) tools, but it only has a cursory knowledge of them? Are there solutions you employed in 2020 that may be exposing your company to risk?
Relating to its Mobile Security Index, Verizon reports, “Nearly half (49 percent) of businesses surveyed said that changes to remote working practices made during lockdown adversely affected their cybersecurity.”
Is the same true for your organization? If so, let’s tighten your cybersecurity before you face a crisis.
3. Don’t neglect IT maintenance.
Newsweek mentioned that Colonial Pipeline’s “[VPN] account was no longer in use.”
I don’t know why the company’s IT department or vendor kept this account open. Although the VPN account had a security issue to begin with, perhaps simple IT maintenance (i.e., closing the account) would have prevented this cybercrime.
Remember, neglected IT assets = risk.
So close unused accounts. Update your software regularly. Deny former employees access to company emails and systems. Ensure your IT infrastructure undergoes a “house cleaning” on a regular basis.
IT maintenance won’t solve cybercrime but may prevent it.
4. The details matter—always.
I can’t miss this opportunity to hammer home our company’s core message: The details matter.
Consider that the Newsweek article mentioned the following information:
“The VPN account was lacking in multifactor authentication…This lack of security precaution means there are more potential ways hackers could have found the compromised username and password and breached Colonial Pipeline’s network.”
Had Colonial Pipeline unilaterally required MFA, the hacker(s) could have entered the right password without being successful. That’s because a security code or other form of verification would have been needed to access the VPN account. And thus the attack might have been prevented.
MFA may seem like a small detail. And a single VPN account may seem insignificant in the entire scheme of your business operations.
But friends, the details matter. They always have, and they always will.
You may think that MFA isn’t as important as your quarterly revenue. You may think it’s okay that your IT infrastructure rarely—if ever—undergoes maintenance. You may think you don’t need to secure your remote work setup.
But that mindset is a ticking timebomb.
A single VPN account is a big reason why you and I are paying nearly $3.00 a gallon for gas here in Charlotte.
Don’t think that you can neglect the details of IT security and never risk damage to your operations, revenue, brand, or reputation.
Bad actors are looking for victims. Don’t be one of them.
Dedicated to IT security and productivity,
P.S. As always, I welcome your calls and emails. Please reach out at email@example.com or 704-464-3075 extension 3.
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.