BeginnerAuthentication

Rotate all secrets immediately after any employee departure from a privileged role

When a privileged employee — sysadmin, developer, DevOps engineer — leaves your organisation, all shared secrets and credentials they had access to must be rotated immediately. The Cisco insider who deleted 456 WebEx virtual machines did so five months after resignation using credentials that had never been revoked. Maintain an offboarding checklist that includes: deactivating SSO accounts, revoking SSH keys, rotating shared infrastructure passwords and API keys, and auditing any cloud IAM roles the employee had assumed. Automate this process where possible.

Tags

offboardingsecret rotationSSH keysIAMcredential revocation

More in Authentication

All guides
beginnerfeatured

Use hardware security keys for privileged and external-facing accounts

FIDO2/WebAuthn hardware security keys are phishing-proof — they cryptographically bind to the domain you registered them on, so a cloned login page cannot capture the credential. SMS-based two-factor codes can be intercepted via SIM-swapping or forwarded by a victim who receives a fraudulent phone call. The Twilio breach demonstrated exactly this: employees entered SMS codes into a phishing page. Hardware keys like YubiKey make that attack impossible. Deploy them first for all administrators, executives, and anyone with access to production systems or financial controls.

See: Twilio SMS PhishingAuthentication
intermediate

Migrate from SMS and TOTP to phishing-resistant MFA

SMS two-factor authentication is vulnerable to SIM-swapping, SS7 interception, and real-time phishing relay. TOTP (authenticator app) codes are better than SMS but can still be captured on a convincing phishing page. Phishing-resistant MFA — FIDO2 hardware keys or passkeys — cannot be forwarded to an attacker's server because the credential is cryptographically bound to the exact domain. When Cloudflare was targeted by the same 0ktapus campaign that successfully breached Twilio, Cloudflare survived because their employees used hardware keys. Prioritise migration for your highest-value accounts first.

See: Twilio SMS PhishingAuthentication
beginner

Enforce a 90-day audit of all service accounts and shared credentials

Dormant accounts and over-privileged service credentials are a persistent attack surface. The Colonial Pipeline VPN credential that enabled the ransomware attack belonged to an account that was no longer actively used but had never been deactivated. Run a quarterly audit of all service accounts, API keys, and shared credentials. Deactivate anything unused for 30 days. Remove permissions that are broader than the account's stated purpose. Document every service account's owner, purpose, and expiry date.

See: Colonial PipelineAuthentication