Houston Astros Hack a Lesson in Modern Access Control

August 28, 2016

Details are still emerging on the murky hacking scandal involving Major League Baseball’s Houston Astros and St. Louis Cardinals. What is clear: the Houston Astros proprietary “Ground Control” database was breached by members of the St. Louis Cardinals front office. The Ground Control database contains a wealth of data around baseball scouting, medical records and statistical analysis. The New York Times originally reported the hack, additional reports since have suggested that the credentials of a senior Astros executive, General Manager John Luhnow, were used to access the database. Luhnow joined the Astros in 2011 as General Manager after departing the Cardinals, where he served as Vice President of Scouting and Player Development. The attackers allegedly stole Luhnow’s credentials by inspecting internal Cardinals systems, and using them to log into the Astros network. If this report proves true, Lunhow broke the sacred rule of "don’t reuse passwords.” However, the Cardinals and Astros failed the way that many organizations do, by allowing password only access and in the case of the Cardinals, by not respecting the tenets of least privilege access control, and ignoring to the vital process of user deprovisioning.
Passwords, quite simply, should not be used as the sole means of access control. There are too many vectors that allow for attackers to gain and leverage passwords, making them a highly insecure way to protect vital assets when used in isolation. With modern advancements, there is little excuse for organizations not to deploy a two-factor and adaptive authentication solution, especially for highly critical data like the Astros Ground Control database. Had the Astros deployed such a system, Lunhow’s reused password would have been rendered useless to the attackers. Two-factor authentication depends on something the user knows (like a password) and something the user has (like a “one-time password” delivered via soft token or hard token). Advancements in authentication technology are taking this even further, enabling adaptive authentication options that examine context and risk in real time as well as biometric modalities, such as thumbprint or facial recognition. 
It is unclear how or when the Cardinals staff was able to gain access to Lunhow’s credentials. Obviously as “insiders” they would be privy to intimate knowledge about internal Cardinals systems. The lesson here is that organizations must protect themselves from insider threats as well as external ones. Employees may act with vigilantism, become disgruntled or even incentivized by external actors antagonistic towards the organization. In a sense, the malicious Cardinals staff were attacking their own organization by stealing the passwords. A password database or user data store should be treated as one of an organizations most vital assets, allowing only the most privileged users full access under strict guidelines. This is the tenet of least privilege, a rule that many organizations get wrong. The internal practices of the Cardinals organization are unclear, and admin users may themselves be insider threats, but the story still highlights the need for the enforcement of least privilege. 
It is also unclear whether Lunhow’s credentials were obtained before or after his tenure in the Cardinals front office. If it was after, Lunhows accounts were obviously not properly deprovisioned after his departure. This is a process that is often overlooked by organizations. Many things lead to failure to deprovision. Organizations may have a large number of disparate systems without a centrally managed access control solution. Systems may be forgotten or ignored with dire consequences. It is an argument to centralize access control and use a single or forested data store, allowing IT teams to quickly and easily delete the account via a single interface. If there is data bound to the account and it cannot be deleted, it should at the very least be disabled, along with an associated password change.
In a sense, the Astros are not dissimilar from many organizations in this day and age. To the baseball fan, the Astros are represented by the likes of outfielder Colby Rasmus and designated hitter Evan Gattis. Internally, they have a front office staff, an IT department, and intellectual property with sensitive data that they need to protect. They look just like any other business out there, regardless of their public face.
We often think of attackers as a highly funded organized crime group or a division of some nation state’s military. The Astros hack shows that corporate espionage is still very much alive, and now has a new plane of existence on which to operate on. This is not the first case of corporate cyber espionage, and certainly will not be the last. It’s time for professional sports organizations to “step up their cyber game.” For inspiration, look to the Denver Broncos. The Broncos stand out as a security leader in the sports world, protecting their playbooks digitally and allowing them to be remotely wiped if stolen.
For more on the topic of innovation in the authentication space, check out the white paper “Preventing Attackers from Getting What They Want”, by SecureAuth CTO Keith Graham.

  • Product: IdP

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!