The GoDaddy Data Breach shows businesses of all sizes the importance of more powerful authentication and secure shell (SSH) key management. We spoke with several cybersecurity experts to learn more about what organizations can learn from this cyber incident.
Web-hosting and domain name registrar GoDaddy discovered a data breach which occurred in October 2019; the company detected the security incident in April. BleepingComputer first broke the story.
According to the company, an “unauthorized individual” gained access to users’ login details to connect to SSH. However, GoDaddy said the breach only affected hosting accounts rather than customer accounts. Further, the intruder did not access customer data, and the breach affected less than 30,000 users.
On the surface, this appears a minor breach in the grand scheme of digital attacks. However, it highlights fundamental truths about cybersecurity and identity management which some enterprises struggle to grasp. First, it shows that regardless of size, your business remains vulnerable to cyberattacks. Second, the GoDaddy Data Breach shows the perils of using inadequate authentication protocols to protect data. Third, the breach serves as an example of how dangerous a lack of security visibility can be to your business’ reputation, both in the short and long term.
Additionally, it provides a lesson in Secure Shell Keys (SSH); SSH protocols are used to log in remotely from one system to another. By providing strong encryptions, it allows for the secure issuing of commands remotely and remote management. The SSH keys allow access to this encrypted connection.
We turned to the cybersecurity experts to learn more.
The GoDaddy Breach: Expert Commentary
Chris DeRamus is Vice President of Technology, Cloud Security Practice, at Rapid7.
“Unauthorized access is a popular culprit behind many data breaches, and this isn’t GoDaddy’s first security issue involving compromised accounts. According to a Ponemon survey, 59 percent of IT security respondents say customer accounts have been subject to an account takeover. Customers put their trust in companies by allowing them to collect and store their information. To keep that trust, organizations must be proactive in ensuring that their data is protected with adequate security controls and a robust identity management strategy.”
“To protect data, organizations must follow the principle of least-privileged access in provisioning identity access management (IAM) permissions, by providing checks to restrict identities from being able to do more than they are supposed to and implement multi-factor authentication (MFA) for all users. By leveraging MFA, an account is 99.9% less likely to be compromised. Additionally, organizations must securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.”
Anurag Kahol is CTO of Bitglass.
“This security incident impacting GoDaddy customers underscores why organizations need to have full visibility and control over their data. While the web hosting giant confirmed that the breach only affected hosting accounts and not customer accounts or the personal information stored within them, hackers can still leverage the database of login credentials and commit account takeover.”
“According to Verizon, 80 percent of hacking-related breaches involve compromised or weak login credentials. 29 percent of all breaches, regardless of attack type, involve the use of stolen credentials. While it’s ill-advised, people commonly reuse passwords across multiple accounts, meaning attackers can potentially gain access to a number of accounts across multiple services that a victim uses to gather more sensitive information and leverage the data for financial fraud or identity theft for years to come.”
“Additionally, this incident comes just two years after GoDaddy had its cloud configuration information exposed after an Amazon employee left an AWS S3 bucket open. The very different nature of these two security incidents underscores the importance of the shared responsibility model when it comes to the cloud.”
“To prevent similar incidents and thwart unauthorized access to customer information, organizations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. Organizations must also authenticate their users to validate who they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are tools that can help companies protect their data.”
James Carder is CSO and Vice President of LogRhythm Labs.
“It is astonishing that GoDaddy was unable to detect unauthorized access to SSH account credentials for about eight months. With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised.”
“The GoDaddy data breach showcases how so many large enterprises still lack a comprehensive approach to detecting and combating threats. It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats. GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password.”
“Strong SSH key management is critical in protecting internet-accessible SSH. In this case, fundamental controls for properly securing and managing SSH should have been implemented. It is important to ensure that SSH keys are associated with an individual user and are continuously rotated. Additionally, the principle of least privilege should be utilized for the account authorized to SSH and an organization should conduct thorough auditing and monitoring of all privileged sessions and key usage.”
“If such controls were implemented, then the likelihood that GoDaddy would have suffered a breach, leveraging stolen or acquired username and passwords, would have been minimal. Of course, no incident is 100 percent preventable, yet, this particular breach reflects how GoDaddy overlooked simple security controls and left low hanging fruit for the attacker to exploit.”
Thanks to our cybersecurity experts for their time and expertise. Learn more about preventing these kinds of attacks in our Identity Management Buyer’s Guide.