The Colonial Pipeline attackers likely got in using old, compromised VPN credentials. This advice will force attackers to work much harder.
Every time I read about another attack, I am always interested in how the attackers gained initial access into the network. With the recent Colonial Pipeline attack, the initial infection point was reportedly an old, unused, but still open VPN account. The password had been found on the dark web rather than obtained via phishing, implying that it had been leaked or reused by a Colonial employee. The VPN account did not have two-factor authentication (2FA) enabled, allowing the attacker to merely log in.
The manner of attack made me consider my own network. Do I have remote access credentials that do not have 2FA? Are there other ways attackers could enter my network? Have I been lax in how I handle log-ins? Do I have old, unused accounts with weak passwords or worse, passwords that can be found on underground websites?
These four tips will help eliminate easy attacker access to your Windows network.