How to Prevent a GitHub Breach Like the One That Just Happened To Mercedes-Benz
Strategies for securing your GitHub accounts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: GitHub Security | Application Security | Data Breaches
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A recent compromise of Mercedes-Benz showed that attackers could have gained access to all their source code.
Bleeping Computer contains the following information:
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the Internal GitHub Enterprise Server,” reads RedHunt Labs’ report.
Here’s how you can prevent a similar scenario in your organization.
Fine-Grained Tokens and Token Restrictions
First of all, create fine-grained personal access tokens. What that means is that when you grant permission to an access token you don’t give it access to everything. You limit that access to certain accounts. Disallow classic tokens.
You can prevent people from using classic tokens in your organization settings. Scroll down to personal access tokes.
Require approval before a new token can be used and make sure it has limited permissions, not access to “everything.”
Disallow the creation of classic tokens which have access to “everything.”
Network Restrictions
In addition, you can limit your account to specific IP ranges. That way, even if someone obtains your personal access token, they can’t use it unless they are also in your network.
This post explains how to do those things:
If you can, you might consider running your own GitHub server in your own private network. That way you can limit access on the network to specific IP ranges.
Be aware that GitHub made a change recently where IP addresses allowed to access your account exists in two different places. I’m not a fan of that personally but make sure you know all the places where IP addresses may be configured to access your account.
Separation of Duties and Reducing the Blast Radius
Unfortunately, if the attackers have accessed one of your developer’s systems, then they may have access to your network and any systems that developer can access. Such was the case in this LastPass breach.
Consider not putting all your source code in a single repository or even a single account or on a single server. I use separate accounts for different purposes. I wrote about that here.
Leverage separation of duties so access to one individual’s machine doesn’t grant access to the keys to your kingdom:
The unfortunate thing is that with GitHub, unlike AWS CodeCommit, you can’t require MFA for specific actions like reading or writing to a GitHub repository. I wish they would add that. This post explains how you can add MFA for actions on AWS CodeCommit:
GitHub actions are risky for that and other reasons as I explain in the following posts, but if you choose to use them I also provide some security guidance:
Hope that helps!
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab