Evaluating Security Practices in Response to Colonial Pipeline And South Korean KAERI Attacks
Zero Trust and Enforcing the Principle of Least Privilege Have Become Crucially Important.
By Garret Grajek, CEO, YouAttest
In recent news, we have seen several high-profile attacks on major institutions in the United States and abroad. In early May of this year, the Colonial Pipeline in the United States was attacked and late last month it was reported that a North Korean hacking group, Kimsuky, breached the network of the Korea Atomic Energy Research Institute (KAERI) on May 14th. KAERI was established in 1959 to achieve self-reliance in nuclear core technologies and has since achieved that goal, making it a prime target for an energy-starved North Korea. In the wake of these attacks, we must reflect on the strengths and vulnerabilities of our cybersecurity mitigation attempts and look to bolster those efforts.
In the case of the South Korean attack, if the North Korean espionage group successfully exfiltrated information, it is believed this could be the largest security breach in South Korea since the attack on the defense ministry in 2016. The group could have gained access to information that would benefit the nuclear programs in North Korea, as KAERI has information on small modular reactors and other power sources. This is especially powerful information for North Korea, as only 26% of their population has access to electricity.
Kimsuky, according to United States officials, is likely tasked by North Korea with a global intelligence-gathering mission. This attack is not the first attack Kimsuky has launched at South Korean infrastructures, as they succeeded in attacking Korea Hydro & Nuclear Power Co. Ltd back in 2014. The group has also been attributed several other attacks on South Korea using a backdoor called AppleSeed for Windows and Android systems.
In response to the claims about the attack, KAERI issued a statement explaining that an unidentified outsider accessed parts of its systems, exploiting a weakness in their virtual private network (VPN). Regarding the attack, they blocked the IP address and updated their security after the attack was discovered on May 31st. The damage from this hack is not yet known.
Incidents like this highlight to the world that critical infrastructure components can be vulnerable to cyberattacks. In response, we need to ensure that the organization’s security objectives are clear and met. The focus of compliance should not be just meeting it but having real security objectives to prevent future attacks.
It is the standard procedure for companies adhering to a certain compliance level to check their networks daily for vulnerabilities. Such practices are in place because we assume that there could be a malicious actor looking to exploit any vulnerability and open our systems. For vital infrastructures such as water and energy enterprises in the United States and abroad, we need to examine our identity privilege and adherence to the Principle of Least Privilege since it is the industry’s best practice to stop the damage from hacks.
When we look at the Principle of Least Privilege, we can see the advantages of ensuring that users, systems, and processes only have access to resources they need to perform their function inside an organization. Combining PoLP with zero trust – especially around network segmenting – can help deliver the desired level of network security. Limiting the reach of any one network user by governing their access makes it more difficult for attacks such as the Colonial Pipeline and KAERI to occur. Limiting the ability of one user account to affect the whole network limits the effect a malicious actor can have on your network.
By auditing the systems in place to determine the minimum privilege necessary for any user, system, and process, organizations can implement the Principle of Least Privilege to each entity. Start by examining the organization’s protocols from the perspective of an attacker to determine points of interest most likely to be exploited. What privileges have we granted remote users? What access levels have they been granted? How much damage can a rogue user do if they have access to that account?
After answering these questions and enhancing the networks with segmentation, implementing zero trusts, and then enforcing the Principle of Least Privilege, organizations can lower the risk of significant attacks. It is crucial to monitor these privileges to ensure a secure network for the enterprise.
About the Author
Garret Grajek, CISSP, CEH is CEO of YouAttest. YouAttest is a cloud-based IGA tool that automates both periodic and dynamically triggered access reviews for compliance and identity security. Garret can be reached online at ggrajek@youattest.com and at https://youattest.com/