One Key and Five Minutes Can Leak Millions of Records
January 18, 2018 | DevOps | Corey O'Connor
An explosion in the number of applications and machines throughout IT environments has made IT automation and configuration tools such as Ansible a necessity. This trend is related to the increased adoption of DevOps practices where the line between development and operations has been erased. DevOps automates the software delivery pipeline and utilizes innovative, robust tools to deploy environments, scripts and applications. Functions within traditional operations roles are being fully replaced by a machine. This includes using powerful secrets to access and control IT infrastructure. To achieve a faster go-to-market execution and improved ROI, IT admins have been known to store secrets in Ansible Playbooks.
Tools such as Ansible help to modernize IT environments, enabling applications to deply faster with improved quality. These tools delivers simple IT automation that ends repetitive tasks and frees up DevOps teams for more strategic work. Within the DevOps tool chain, secrets are necessary to build today’s modern applications. Against security best practices, these secrets are frequently embedded directly into code or configuration files like Ansible Playbooks. When these tools or files are compromised, the secrets and the access they provide are also compromised, leaving organizations both large and small vulnerable to an attack.
Secrets embedded in code resulted in the Uber breach that was revealed in 2017. The global ride share company stored its AWS keys (one type of secret) in a code repository that attackers were able to pull and leverage to gain direct access to millions of unencrypted files containing personal information.
This is not a standalone incident for hackers. They’re proactive. They have bots crawling all over GitHub seeking to gain access to secrets that were mistakenly published online. Attackers are doing this because they have had success. Many organizations continue to store secrets in code or configuration files and finding the secrets within tools like Ansible, that control a very large numbers of tasks, can certainly be an uphill climb.
For years, the CyberArk Discovery and Audit™ (DNA) tool has provided organizations with the ability to first discover and later audit their environment. The tool automatically scans the network, which otherwise is a complex, manual process, for the following:
- Data related to privileged and non-privileged accounts
- Embedded and hard-coded application credentials
- SSH key exposure
- Potential credential theft risks, including Pass-the-Hash attacks, Pass-the-Ticket and Overpass-the-Hash
The easy-to-use scanner automatically discovers and analyzes any privileged and non-privileged accounts, then generates a report and visual organizational maps that illustrates the privileged account security status in the organization.
CyberArk DNA now provides the ability to automate the discovery of hidden credentials within Ansible (e.g. Playbooks, Roles and Tasks). This improves and simplifies the security of CI/CD tools and provides CISOs with a powerful tool to help discover and understand the risks of hidden secrets within their DevOps environments. This integration further bolsters the partnership between CyberArk and Ansible. Recently, CyberArk Conjur joined forces with Ansible to build integrations that deliver off-the-shelf, automated secrets protection and best practices throughout the DevOps pipeline.
How it works
CyberArk DNA will scan an entire network to detect Windows and Unix/Linux instances for privileged and non-privileged secrets. On Red Hat instances, CyberArk DNA can detect an Ansible installation and search for Playbook yml (YAML) files. Once a Playbook has been discovered, DNA will then search for hard-coded secrets in Roles, Tasks and variables within a Playbook.
Figure 1. The CyberArk DNA dashboard provides a high-level review of all embedded and hard-coded credentials found on application servers including Ansible servers
At the end of the scan, DNA lists all of the discovered secrets details (e.g. user names, file location and password length) in a report and summarizes them in a very easy to consume format that can be shared with managers and executives to give them an overview of the current state of the domain.
Figure 2. From the DNA executive report data, a summary of all credentials found on all Playbooks from all scanned Ansible servers
Take the first step in discovering secrets within your DevOps pipeline
Interested in discovering hidden, unprotected credentials in your Ansible Playbooks? Request a FREE risk assessment with CyberArk DNA or reach out to your local sales representative for more information. Also, find out more about permanently removing embedded secrets from scripts and code by visiting CyberArk Conjur and try it for FREE with the Community Edition.