Too Much Access Is Your Kubernetes Achilles Heel
Target. It’s 2013, and Target is a big Microsoft customer, using Azure and other services from Redmond with a very detailed case study online. An attacker realizes that with its 300-person security team, Target might not make the best (ahem) target for a direct hit.
Instead, the attacker focuses attention on a partner company, a heating, ventilation and air conditioning (HVAC) repair company, and phishes one of its employees into giving up login details. The attacker used the opportunity to place a Trojan in the Target system, according to Matt Williams, a developer and technology evangelist at the open source identity management and access company Infra.
“This repair HVAC company employee can log into the same Target systems and have access potentially to a lot of other great juicy information,” Williams told the audience at last week’s Civo Navigate conference. “They started looking at all the records and started collecting everything.”
Security was alerted to the problem but, alas, they had turned off automated fixes, since they believed a person should be involved in the situation, Williams said.
“These hackers were able to spend some quality time skimming credit cards and all sorts of other information from the network,” he said. “They grabbed about 11 gigabytes of data over the course of two weeks — two weeks they were in there! … And that resulted in about 40 million credit cards, debit cards and information on 70 million customers all grabbed by these hackers.”
All told, the attack cost Target an estimated $291 million, he added. The CIO resigned, 90-plus lawsuits were filed, and, since news of the attack became public at Christmas, sales fell.
Marriott. It’s 2018, and the hotel chain has just completed a merger with Starwood properties, which included hotels such as Western, Sheraton, Westin, W and St. Regis. A user was compromised within Marriott and personal information such as credit cards were stolen over the course of four years before the attack was discovered. The attackers had nearly admin-like access to everything, Williams said.
“Hundreds of millions of customer records were lost,” Williams said. “Apparently, the breach actually happened and was continuously being taken advantage of in 2014…. That’s four years they were in there, grabbing stuff.”
‘Don’t Give Cluster Admin Access to Everyone or Anyone’
Both these cases show what can happen when IT is lax with file permissions, and that’s a particular challenge with Kubernetes, where the cluster admin role has carte blanche within Kubernetes.
“You can do anything you want. You can change secrets. You can delete nodes. You can delete clusters. There’s no limit to what you can do with this,” Williams said. “You can just wreak havoc. It’s awesome and terrible.”
His solution: Don’t give cluster admin access to everyone, or really anyone.
“I know it’s easy to take that group config file, just share with all your friends and give everybody access,” he said.
Often, it happens because developers are trying to deploy quickly and without setting proper permissions. They may have the best intentions to lock down access at a later date. They just don’t.
“There is an article in Security Magazine that talks about what’s the cost of breaches these days; and in ’20-21, the average cost was $4.24 million,” he said. “That’s a lot less than the $300 million we saw for either Target or Marriott, but still, it’s a lot of money.”
The average time to detecting a breach is 212 days, and it takes almost a year to deal with it, at 286 days on average — so, 498 days on average from breach to containment, he said. Meanwhile, the likelihood of a detected breach being prosecuted is .05% — meaning attackers face little risk for trying, but run the potential of a major payout either through theft or ransom.
Infra: An Open Source Tool
Williams walked the audience through the seven onerous steps needed to set up proper permissions. To be a user in Kubernetes requires a certificate, and you can spend all your time sending out permissions to users, especially at large companies.
He then demoed how the free and open source tool Infra can be used to automate and manage the authentication process. It uses drop-down menus and a more intuitive user interface. It can also remove access from users.
“If I realized that [this person is] an idiot, and we should get rid of him, then I remove access,” he said, adding that “you have the same option for your SSH as well.”
Civo paid for Loraine Lawson’s travel and accommodations to attend the conference.