How to manage and reduce clandestine proliferation
Secrets, or digital credentials, enable elements of an environment to communicate with a minimum of privacy and security and unlock access to systems, applications and data critical to successful business operations.
These necessary and powerful strings of code are widely shared, but at the same time they must be protected and managed to maintain their integrity.
The problem with secrets
The volume of secrets used in organizations has grown exponentially with the proliferation of mobile devices, applications and cloud services.
The following are examples of secrets organizations use and must protect:
- OAuth tokens
- API keys
- username password
- SSH/TLS certificates
- encryption and code signing keys
- machine identifiers
- application authentication
The problem with secrets is that they aren’t secrets. They are replicated and stored throughout the company’s infrastructure. This is out of necessity; secrets must be available and distributed between applications and devices to enable communication. However, this usage can mean that multiple copies of a secret are stored randomly – and randomly. Secrets can also be hardcoded into apps and devices, making them insecure.
The irregular and unrestrained nature of clandestine proliferation creates what is known as secret spread.
How attackers get secrets
Secret sprawl makes it difficult to maintain control and visibility of secrets. It also significantly expands an organization’s attack surface, giving attackers more opportunities to discover an active secret and exploit it.
Given that secrets are an entry point into applications and devices, cybercriminals covet them. Studies of cyber breaches consistently report that compromised credentials facilitate breaches. Why would attackers break down a door when they can unlock it?
Attackers can acquire secrets via several different methods. One way is to harvest them from publicly available repositories. Secrets hardcoded into applications and devices can also be found online – for example, in rainbow tables. Malicious actors can also use a technique known as Google dorking to uncover usernames, passwords and SSH keys. Additionally, many secrets consist of a defined-length, random string of characters, making it possible to find them in software code.
The exploitation of secrets is not theoretical. A notorious example is the Mirai malware. Mirai scanned networks for specific IoT devices it could log into with known default usernames and passwords. Once logged in, it added the infected device to a botnet to be used in DDoS attacks. In another example, DataBreaches.net researchers found the records of 150,000 to 200,000 patients from nine health-related organizations in GitHub repositories.
The bottom line is that secret sprawl is a major vulnerability for businesses.
How to control secret sprawl
There is no easy solution to gaining visibility and control over secrets. However, organizations can implement some actions to reduce the expanded attack surface.
Remind employees who create secrets to protect them and not make them publicly available. Organizations can supplement these cybersecurity awareness efforts by enforcing a zero-secrets-in-code policy. Developers need the tools to implement this.
Finally, have a central location that can handle all aspects of the secret life cycle. Specific actions should include the following steps:
- Take stock of all secrets and secret associations.
- Manage secret societies to ensure access is within policy.
- Document what each secret is used for, why it was created, and who owns it.
- Update, review, renew and remove secrets regularly.
- Centralize and limit authorization to create secrets.
Specialized secret manager programs can centralize credential security, manage secret lifecycle activities, and provide user information about who has access to each secret.
Gaining control over secrets significantly improves overall security while promoting continuous business operations.