In the mid of December, SolarWinds disclosed that the company experienced a highly sophisticated, manual supply chain attack on versions of the Orion network monitoring product released in March – June 2020. The company shared that the attack was most likely conducted by foreign hackers and intended to be narrow, remarkably targeted, and manually executed attack. A FireEye blog post states that hackers managed to gain access to a huge number of public and private organizations through trojanized updates to SolarWinds’ Orion software. And during the next weeks, it was revealed that among the victims are highly reputable companies and institutions like Microsoft, the US Treasury Department, and the US Department of Commerce’s National Telecommunications. Even Google was suspected to be among the victims, which, to this day is still denied by the industry leader.
How the Security Breach Happened
According to Dan Goodin from Ars Technica, the hackers behind the supply chain attack that compromised public and private organizations have devised a smart way to bypass multi-factor-authentication systems protecting the networks they target.
After having gained administrator privileges on the infected network, the hackers used those unfettered rights to steal a Duo secret known as an akey from a server running Outlook Web App, which enterprises use to provide account authentication for various network services. The hackers then used the akey to generate a cookie, so they’d have it ready when someone with the right username and password would need it when taking over an account.
Infrastructure Managers in Search of a Solution
And while all media were paying attention to the news and the ongoing investigation of how this happened, tech experts and system engineers started to think about how to prevent another situation of this kind to affect their organization. Nowadays, infrastructure managers seek an easy way to manage the constantly growing IT environment. Implementing a smart monitoring solution, which provides monitoring and automation capabilities, is an easy and useful solution. On the other hand, sometimes the risk can be more severe than it looks like. When using a monitoring and automation tool, you need to provide this software with full admin rights to perform its automation jobs – patch management, config backups, etc.
The paradox here is that usually, just a few people within an organization have full admin rights to the whole infrastructure. And this is done because of the security risks and best practices to apply. On the other hand, companies are open to give full access rights to the software. This also means that everybody who has access to this software has full admin rights to the infrastructure.
Besides, by giving full access to software to your systems, you are dramatically increasing the security risk for it, leading to compromising data, loss of data, financial problems and loss of customers.
Why You Need to Choose Read-Only Monitoring Solutions
When implementing a read-only monitoring service, you are restricting the access of the software to the system managed. Which decreases the risk that also people having access to the software can affect the whole environment. If your monitoring solution gets hacked, this means that your whole system is hacked and at risk. This presents a great problem especially for banks and financial institutions, companies that deal with sensitive data, and all cloud builders in general. When you restrict the level of access and permissions for software, you also protect your system from attacks, data loss, and all kinds of security problems.
VirtualMetric is designed to work only with read-only rights and to deliver a maximum user experience and collect all data with this access only. We recommend our customers also conduct the following actions to ensure their high level of security:
- Separate the monitoring system from the automation system – these two needs always to be separated on different servers and network. If you want to do automation, you can integrate your monitoring system with the automation. Then the monitoring systems will send automation tasks and requests to the automation system. And the automation system will perform the needed actions. In this way, you will restrict the levels of access and improve your security. Alternatively, if you do not do any automation, you do not need to give the monitoring software full access.
- Always separate the monitoring users – always create a dedicated monitoring user for each product. Then you can give the needed access to these users so that you can limit the privileges of the user.
- Automation server security tightening – instead of using a centralized automation server, you need to tighten the automation system’s security. You can add auditing or use open-source tools like Ansible, make security checks on the source code and minimize the risk.
- Do not rely on the monitoring product for everything – According to Yusuf Ozturk, Co-Founder and Chief Software Architect of VirtualMetric, monitoring and automation should always be separated. This is the first most significant step to limit privileges. And for the automation, you can implement open-source tools, which will improve security.
“In many companies, people are still using full admin accounts for their monitoring systems. This should never be allowed. You should always create a separate user with read-only privileges.”, said Yusuf Ozturk.
“In VirtualMetric, giving admin rights to the monitoring is optional and not needed for the majority of use cases. We want to guarantee that the monitoring user will not make any critical changes to the system and will not be the reason for security breaches. We understand that some products do not allow you to use a read-only option, and these products will always present a security risk. For this reason, you need to think carefully when you select a monitoring solution.”“In many companies, people are still using full admin accounts for their monitoring systems. This should never be allowed. You should always create a separate user with read-only privileges.”, said Yusuf Ozturk. Click To Tweet
VirtualMetric tech experts recommend always checking the way in which a monitoring solution works before implementing. Be careful if the product is also doing the automation and what may be the impact pout of this. Implement an agentless solution. Usually, in most of the cases, the agent is run with system access, which means basically full access. With an agentless solution, you are configuring remote access privileges and you can block specific actions on a firewall level. Also, we recommend regular audits on your monitoring solution and system as a whole. Invest your time in prevention, not in dealing with security breaches.