Cybersecurity: Lost Your Keys?

Cybersecurity: Lost Your Keys?

From time to time we all lose our keys. The solution for physical keys is simple – find the spare set and head down to your local hardware store so they can make you a new set. The only time you have to worry about re-keying is when there isn’t a spare set. None of this is a huge deal, because what are the chances that whoever finds your lost key will try it in enough locks to miraculously find your door?


But what if your keys are stolen? And what if they were stolen from a third party with whom you’d shared them? Then things get a little more complicated as you may have to change the locks. It’s an inconvenience for sure, but not a catastrophe.


In the cyber world these scenarios differ in one important way: in the case of theft the culprit may well know what door – or in the digital space, what services – can be accessed with those keys. Your risk increases further when the stolen keys came from a trusted third party that offers the very services the keys are used to access.


When this happens you must re-key. In some situations, re-keying might be as simple as changing a user’s password or re-generating an API secret key. Then you update the places where those authentication items are used. In other cases, though, there may be hundreds of users or services utilizing the stolen API key, making the update process a far more tedious one.


In these complicated situations, where there’s a time delay involved in re-keying, you should consider these additional monitoring steps:


  • Place extra scrutiny on all successful authentication events:
    • Who is the user or service?
    • Does this user or service typically access the third-party service?
    • Where is this user or service located?
    • Is the user or service operating during standard working hours?
  • Enforce multi-factor authentication for password-based access
  • Turn off all unused API endpoints
  • Restrict access to used API endpoints by known sources
  • Subscribe to monitoring services that identify if batches of stolen credentials are for sale


When the inevitable happens


It’s a given that from time-to-time service providers will lose our keys, so what can we do to pre-empt and limit the impact? Consider:


  • Require multi-factor authentication for password-based access
  • Enforce additional authentication challenges for any suspicious access
  • Automate key rotation
  • Enforce privilege access management for privileged accounts


These sorts of breaches are annoying under the best of circumstances (and catastrophic in the worst), but the good news is there are tried and true ways of mitigating the damage.


If you have questions, give us a call.