Lessons in cybersecurity from the Internet Archive Breaches

Representational image of data security
(Image credit: Kingston)

It’s getting harder for organizations to identify the extent of damage incurred from a cyberattack – after the initial shock wave of panic anyway. You don’t want it to be difficult to trace the origins of an attack when the frequency of breaches is as rampant as it is today. Data breaches are more of an eventuality than a possibility.

Ask CISO heads how long it takes them to identify the blast radius of a breach, and the average response you’ll get is, at best, ‘hours.’ But ‘hours’ isn’t fast enough today. Just a single hour is all it takes for an attacker to pivot across infrastructure to access highly sensitive resources.

If the repeated Internet Archive breaches taught us anything, it’s how damaging exposure of the wrong information can be. Hackers used exposed access tokens from previous incidents to penetrate the organization’s Zendesk implementation. These API keys, left static since the original breach, provided hackers with easy access to over 800,000 support tickets. To add insult to injury, the hackers started replying to old support tickets criticizing the Internet Archive for failing to rotate these keys.

Unfortunately, the number of times we keep seeing these incidents is a symptom of how complex IT infrastructure has become. Finding out who breached your data, where, and how is often headache-inducing. This largely stems from how extremely fragmented identity silos have become, and the pile of identities needing management just keeps growing bigger. But there’s also the fact that access relationships between resources are also fragmented. This fragmentation of access and security models makes organizations vulnerable to human error.

What would fix this? A new cybersecurity paradigm – one without static credentials, eliminating the attack surface targeted by threat actors. Companies can further harden their security by shifting their access model from role-based authentication to attribute-based authentication.

Ev Kontsevoy

CEO for Teleport.

The complexity of identity management

Microsoft’s recent report identified over 600 million identity attacks in its 2024 fiscal year alone. If you’re wondering why that number is so high, it’s because humans make it easy. We leave credentials like passwords, browser cookies, and API keys lying around in the most obvious places. Further, long-lived, stale privileges allow a bad actor to pivot from their initial breach to other destinations on a network.

This makes it only a matter of time before a user inadvertently reveals too much information or prior credentials. Hackers are ready to pounce on these mistakes. We saw this happen with the initial Internet Archive breach, where an exposed GitLab configuration file contained an authentication token that enabled hackers to download the Internet Archive’s source code, which included additional credentials.

It also doesn’t help that access is often managed in completely different ways across Kubernetes clusters, cloud APIs, IoT devices, databases, etc. The silos emerging from this approach obstruct the ability to revoke access to compromised data, or to figure out who had access to what data in the first place.

If we want to begin to thwart cyberattacks, then step one to reducing the attack surface and blast radius has to be to remove all static credentials like passwords, as well as standing privileges. Our industry needs to shift to a mindset of securing identities cryptographically based on physical-world attributes that cannot be stolen (like biometric authentication). Additionally, access should only ever be enforced based on ephemeral privileges that are granted only for the period of time that work needs to be completed. Above all, companies shouldn’t treat identity management, policy governance, and access control as distinct endeavors. They are all interconnected.

Not everyone needs access, and they don’t need it anywhere, anytime

Traditionally, a lot of emphasis has been placed on assigning permissions to users based on their role within an organization – role-based authentication (RBAC). For cybersecurity models to modernize, however, there’s more companies can do to harden access controls, and one way is to ensure that resource access only ever takes place in an appropriate context.

Attribute-based authentication (ABAC) is how we get there, effectively setting very granular requirements for when someone can access a resource.

Imagine you have a database table housing sensitive data. Yes, you can grant access to employees with a certain job title – “Senior IT manager” – but there are other factors you should weigh for whether or not someone should gain access:

Where is the employee? Are they in the office? Or are they in Hawaii?

What device are they on? Are they using a work laptop, a phone, a tablet, or something else?

What time is it? Do they really need access to a resource when it’s in production?

The goal of this mindset is to give organizations the freedom to say things like, “all senior programmers trying to access database table X have to be in Milwaukee between 1pm and 3pm.” You’ve now effectively shut down the ability for anyone to access this database if they don’t fulfill these select requirements. No more access for the random guy drinking a slurpee in Hawaii.

Everyone should be able to govern on attributes when granting access to users, as opposed to granting access to anyone inside ‘the network.’ The mindset should be ‘locked by default’. That’s imperative to reducing the attack surface.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Ev Kontsevoy, CEO, Teleport.