How to manage and reduce secret sprawl

The problem with secrets

The volume of secrets used within organizations has grown exponentially with the proliferation of mobile devices, applications and cloud services.

The following are examples of secrets organizations use and must protect:

• OAuth tokens
• API keys
• usernames/passwords
• SSH/TLS certificates
• encryption and code signing keys
• machine identifiers
• application authenticators

The problem with secrets is they are not secret. They get replicated and stored throughout a company's entire infrastructure. This is by necessity; secrets must be available and distributed among applications and devices to enable communications. However, this usage may mean multiple copies of a secret are stored randomly -- and haphazardly. Secrets may also be hardcoded into apps and devices, rendering them insecure.

The irregular and unrestrained nature of secret proliferation creates what is known as secret sprawl.

How attackers get secrets

Secret sprawl makes it difficult to maintain control and visibility of secrets. It also vastly expands an organization's attack surface, offering attackers multiple opportunities to discover an active secret and exploit it.

Given that secrets are an entry point into applications and devices, cybercriminals covet them. Cyber breach studies consistently report that compromised credentials facilitate breaches. Why should attackers break down a door when they can unlock it?

Attackers can acquire secrets via several different methods. One way is harvesting them from publicly available repositories. Secrets hardcoded into applications and devices may also be found online -- for example, in rainbow tables. Nefarious actors may also use a technique known as Google dorking to uncover usernames, passwords and SSH keys. Additionally, many secrets consist of a defined-length, random string of characters, making it possible to find them within software code.

The exploitation of secrets is not theoretical. An infamous example is the Mirai malware. Mirai scanned networks for specific IoT devices it could log in to using known default usernames and passwords. Once logged in, it added the infected device to a botnet to be used in DDoS attacks. In another example, DataBreaches.net researchers found the records of 150,000 to 200,000 patients of nine healthcare-related organizations in GitHub repositories.

The bottom line is secret sprawl is a major vulnerability to enterprises.

How to control secret sprawl

No simple solution to gain visibility and control over secrets exists. However, organizations can implement some actions to reduce the expanded attack surface.

The first step is to gain visibility into the secrets that might be available to attackers. Use the open source tool TruffleHog, for example, to discover keys in JavaScript or cross-origin resource sharing settings in APIs.

Remind employees creating secrets to protect them and not leave them publicly accessible. Organizations can supplement this cybersecurity awareness effort by enforcing a zero-secrets-in-code policy. Developers need the tools to implement this.

Finally, have a central location that can manage all aspects of the secret lifecycle. Specific actions should include the following steps:

1. Take an inventory of all secrets and secret associations.
2. Manage secret associations to ensure access is within policy.
3. Document what each secret is used for, why it was created and who owns it.
4. Refresh, review, renew and remove secrets regularly.
5. Centralize and restrict authorization to create secrets.

Specialized secret manager programs can centralize credential security, manage secret lifecycle activities and provide user information on who has access to each secret.

Gaining control over secrets vastly improves overall security, while fostering continuous business activities.