How to Stop a Cybersecurity Breach from an Account Belonging to a Former Employee

Cybersecurity hacks are very dangerous for any business, but they’re especially dangerous when they involve accounts of former workers. A recent CISA warning showed that an ex-employee’s admin account got into a state government’s network and let people connect to it without permission. This event shows how important it is to protect passwords, use multifactor authentication (MFA), keep track of access, divide up powers, and make Azure AD settings stricter. We will talk about the most important lessons we can learn from this breach and how you can keep it from happening to your company in this blog post.

Safety of Credentials

The first thing we can learn from this breach is how important it is to keep login information safe, especially for accounts that give you a lot of access. The hack was made easier by passwords that were stolen from a different data leak. What this means is that the hacker could use the same username and password for the former employee’s manager account as for another account that was made public in a different breach. Credential stuffing is a popular method that takes advantage of the fact that many people use the same password for more than one account.

To stop credential stuffing, you should make sure your users follow strong password rules, like making sure they are at least eight characters long and that they change their passwords often. You should also keep an eye on your accounts to see if there are any signs of illegal or suspicious behavior, like failed login tries, devices or locations that don’t seem right, etc. You should also use a password manager to make and keep separate passwords for each account, and you shouldn’t use the same passwords for multiple sites.

MFA Is Important

The second thing we can learn from this breach is that all protected accounts need Multi-Factor Authentication (MFA). Multiple factor authentication (MFA) is a security measure that needs more than one piece of proof to prove who they are. For example, a password and a code sent to their phone or email are examples of multiple forms of proof. MFA protects you even more against spam, credential stuffing, and other attacks that use stolen or guessed passwords.

The accounts that were hacked in this case did not have MFA, which made it easier for the attacker to get in. If MFA had been turned on, the attacker would have had to get a code or key as the second factor of authentication, which would have been much harder to do. Because of this, you should use multifactor authentication (MFA) for all of your accounts, but especially for accounts with more power, like admin, global admin, or service accounts. You should also teach your users about MFA’s perks and best practices and give them the tools and help they need to set it up.

Get to Hygiene

Third, this breach shows how important it is to regularly check and delete unused accounts, especially those of former workers. Attackers or people who work for you can use accounts that aren’t being used to get to private data or resources, which is very bad for your network. You can lower the risk of attack and damage by turning off accounts that aren’t being used.

In this case, the breach happened because an ex-employee’s manager’s account had not been turned off after they left the company. The invader could get around the firewall and into internal systems because this account had full access to the network, including the VPN. To avoid this, you should have a clear and consistent way to remove access from workers’ accounts when they leave or switch jobs. Also, you should check access often to find and delete any accounts that are no longer needed or allowed.

Segmentation of Privileges

Fourth, this breach shows us how important it is to follow the principle of least power and make sure that different settings have their admin accounts. The concept of least privilege says that users should only have the least amount of information they need to do their jobs. This lowers the chance that someone will do something wrong or without permission that could hurt the network’s security or stability.

In this case, the breach was caused by a manager account that could get into both on-premises and cloud settings. The attacker could use this account to get into the Azure AD site and make new accounts, give them tasks, and change their passwords. This gave the attacker complete access to the cloud, which could have allowed them to steal data, use ransomware, or do other bad things. You should make separate manager accounts for each setting, like on-premises, cloud, and hybrid, to avoid this. You should also put limits on these accounts’ use and length, and keep an eye on what they do.

Setting up Azure AD

The fifth thing we can learn from this breach is how important it is to make the default settings for Azure AD more secure and to know what having Global Administrator rights means. Azure AD is an identity and access control service that runs in the cloud. It gives your cloud apps features like single sign-on and multi-factor authentication. But Azure AD also comes with some choices that can let threat actors get to private information and higher levels of access without meaning to.

The Global Administrator job, which gives users the most power in Azure AD, was used in this case to break security. You can create and manage users, groups, domains, jobs, and policies, as well as access all administrative tools in Azure AD, with this role. The attacker could give this job to a brand-new account they made and use that account to get into the Azure AD site. To stop this from happening, you should cut down on the amount of Global Administrators in your company and switch them to jobs with more limited access. You should also go through and change some of Azure AD’s basic settings, like how long passwords last, how guests can log in, and how passwords can be changed by themselves.

Preventative Steps

The sixth thing we can learn from this breach is how important it is to take steps to improve your protection. When the state government found out about the breach, they did several things to contain and fix it. These included changing passwords, taking away elevated powers, allowing MFA, and reviewing access. These steps helped lessen the damage and stop it from getting worse.

But these steps could have been taken ahead of time, before the breach, to stop or discourage the attack from happening in the first place. You can make your security much stronger and more resilient by making these steps a normal part of your security routine. Also, you should test, monitor, and evaluate your network’s security regularly to find and fix any holes or weak spots.

Being aware of the default permissions

The seventh and last thing we can learn from this breach is that people need to be aware of the jobs and rights that come with cloud environments by default. Azure and other cloud platforms have many perks, such as the ability to grow, be flexible, and save money. There are some problems with them, though, like the fact that they are complicated, that duty is shared, and that the attack area grows. Because of this, it is important to know what jobs and rights are given to you by default in the cloud and how they can affect your security.

It was the basic User job, which is given to all Azure AD users, that was used in this case. People with this job can see their biographies, change their passwords, and agree to applications, among other basic functions. But this job also lets people connect devices to Azure AD, which could be bad for security. The hacker was able to connect a device to Azure AD and use that device to get into the VPN. To stop this from happening, you should turn off the basic User role and make custom roles with fewer rights. You should also look over and change the Azure default rights for devices, apps, and services.

In conclusion

This hack is a stark warning of how quickly cybersecurity is changing. We need to stay alert, keep our security measures up to date, and teach our teams how important it is to practice good computer habits. You can keep your company from having a similar problem by following the main lessons learned from this hack.

Do you agree with these things? Do you want to tell us something or ask a question?
Join our Whatsapp Channel Now