How to manage and reduce secret sprawl
Secrets, or digital credentials, allow elements within an environment to communicate with a minimum level of privacy and security, unlocking access to systems, applications, and data critical to successful business operations.
These necessary and powerful code strings are widely distributed, but at the same time need to be protected and managed to maintain their integrity.
The problem with secrets
The set of secrets used in organizations has grown exponentially with the proliferation of mobile devices, applications, and cloud services.
The following are examples of secrets that organizations must use and protect:
- OAuth token
- API key
- Usernames/Passwords
- SSH/TLS Certificates
- Encryption and code signing keys
- machine identifiers
- Application Authenticators
The problem with secrets is that they are not secret. They are replicated and stored throughout an organization’s infrastructure. This is necessary; Secrets must be available and distributed between applications and devices to enable communication. However, this usage can mean storing multiple copies of a secret randomly — and haphazardly. Secrets can also be hardcoded into apps and devices, making them insecure.
The erratic and unrestrained nature of clandestine proliferation creates what is known as secret spread.
How attackers get secrets
Secret proliferation makes secret control and visibility difficult. It also greatly expands an organization’s attack surface, giving attackers multiple avenues to discover and exploit an active secret.
Since secrets are an entry point into applications and devices, they are coveted by cybercriminals. Cyber breach studies regularly report that compromised credentials facilitate security breaches. Why would attackers break down a door when they can unlock it?
Attackers can obtain secrets through a variety of methods. One way is to collect them from publicly available repositories. Secrets hard-coded into applications and devices can also be found online – for example in rainbow tables. Malicious actors can also use a technique known as Google Dorking to reveal usernames, passwords, and SSH keys. In addition, many secrets consist of a random string of defined length, which makes it possible to find them in the software code.
The exploitation of secrets is not theoretical. A notorious example is the Mirai malware. Mirai scanned networks for specific IoT devices that it could log into with known default usernames and passwords. After logging in, it added the infected device to a botnet to be used for DDoS attacks. In another example, researchers from DataBreaches.net found the records of 150,000 to 200,000 patients from nine healthcare organizations in GitHub repositories.
The bottom line is that secretive sprawl is a major vulnerability for businesses.
How to control secret sprawl
There is no easy way to gain visibility and control over secrets. However, organizations can implement some measures to reduce the expanded attack surface.
The first step is to gain insight into the secrets that attackers might have at their disposal. For example, use the open source tool TruffleHog to discover keys in JavaScript or cross-origin resource sharing settings in APIs.
Remind employees to create secrets to protect them and keep them private. Organizations can complement these cybersecurity awareness efforts by enforcing a zero-secrets-in-code policy. Developers need the tools to implement this.
Finally, you have a central place that can manage all aspects of the secret lifecycle. Specific measures should include the following steps:
- Carry out an inventory of all secrets and secret connections.
- Manage secret associations to ensure access is within policy.
- Document what each secret is used for, why it was created, and who owns it.
- Update, review, renew, and remove secrets regularly.
- Centralize and limit authorization to create secrets.
Specialized secret manager programs can centralize credential security, manage secret lifecycle activities, and provide user information about who has access to each secret.
Gaining control over secrets greatly improves overall security while promoting continued business activity.