On June 8, 2021, Colonial Pipeline CEO Joseph Blount testified to a U.S. Senate committee about the recent ransomware attack on the company. While most of the attention to his testimony has been focused on the propriety of paying the roughly $4.4 million ransom payment to the DarkSide hacking group, I believe there is a more important takeaway from Blount’s testimony.
What is the most important takeaway from the Colonial Pipeline ransomware attack?
The most important takeaway was how the threat actors accessed the company’s network by accessing a legacy VPN (virtual private network) that was not secured with MFA (multi-factor authentication / two-factor authentication).
In the case of this particular legacy VPN, it only had single-factor authentication. It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.Senators Scrutinize Cybersecurity Failure of Colonial Pipeline, Courthouse News and Hackers Only Needed a Single Password to Disrupt Colonial Pipeline, CEO Testifies, Insurance Journal
It has been well-known for some time that using MFA on services and systems that face the public internet are among the most common ways threat actors can gain a foothold in your network. This is generally considered to be one of the “basics” of good cyber hygiene.
If your company still has these types of external services and systems that are not protected by MFA, you had better get this corrected immediately! For more recommendations check this Good Cyber Hygiene Checklist.
Watch Blount’s full testimony here: