The spate of ransomware attacks that have shaken the U.S. in recent weeks has generated a lot of media coverage, much of it focusing on the more sensationalistic aspects of the incidents and theirfall out.
- Criminal cyberhacker gangs based in Russia.
- Gasoline shortages and hoarding in southeastern states in the wake of the Colonial Pipeline shut down.
- The traceability of cryptocurrency, or the lack thereof.
- Interruptions to the food supply chain after the giant beef processor JBS had to shutter multiple facilities in early June.
All of this is newsworthy, of course.
The public now is having to focus its attention on how vulnerabilities in IT systems can have serious negative effects on day-to-day life. Still, despite the media heat, one comes away from all the coverage with the impression that nota lot of light has been shed on the underlying issues with IT security. Here’s a passage from a recent article in the Washington Post covering congressional testimony from the CEO of Colonial:
The Colonial Pipeline hackers entered through the company’s IT systems…using an old login credential that was not protected by some basic industry standard security protocols.
From other reporting by Bloomberg earlier in the week we’d learned that the login was password protected, but that Colonial was not using multifactor authentication as an added security step in its login processes. Presumably that’s what the reference to “basic industry-standard security” is pointing to. Which is informative enough, and all well and good. But look again at the bolded passage: an old login credential. That’s the vulnerability data point that we should all be focusing on.
THE ELEPHANT IN THE ROOM
The real story here is that large corporate entities controlling critically sensitive infrastructure—organizations that spend millions every year on cybersecurity—are still making fundamental missteps in their IT security strategies. As the Bloomberg story linked above points out, the Colonial ransomware hack did not involve phishing or other kinds of social engineering exploits, which is usually the first step in these kinds of crimes. In this case the hackers found a password for accessing Colonial’s VPN on the dark web, and then apparently surmised a username on their own, presumably an email address along the lines of email@example.com. Together, that username and password constituted “the old login credential.”
The key question here is: why did an old credential still have standing access rights to the company’s VPN? None of the reporting we’ve seen spells this out specifically, but we think it’s safe to assume “old” means the credential was associated with an employee who had left the organization. That this individual’s standing access rights were not revoked when he or she left the company was the central cybersecurity shortcoming at issue here. Yes, lack of multifactor authentication was part of the problem. Likewise, Colonial might have prevented the intrusion with better, more effective identity and access management practices. But at the end of the day, this was not a situation where the organization needed to throw more money into cybersecurity technology.
..it’s safe to assume “old” means the credential was associated with an employee who had left the organization. That this individual’s standing access rights were not revoked when he or she left the company was the central cybersecurity shortcoming
It needed to strengthen its security posture through subtraction: zero standing privileges — meaning, no one and nothing are trusted with standing access to accounts and data. By default, access rights expire automatically, and especially when an employee or contractor leaves the organization. This is a principal factor of least privilege enforcement.
THE TIME IS NOW FOR ZERO TRUST
The idea of basing cybersecurity on a zero trust model is not a new concept, but it’s an idea whose time has arrived in a big way. Conventional security technologies and techniques—firewalls, VPNs, etc.—are based on barrier-centered approaches that posit certain IT environments can be protected with access granted only to trusted users who can enter those environments with secret credentials. Zero trust proceeds from the foundational framework that no individual, no device, no application, no thing can be trusted as secure. The concept came into focus as an approach where security is organized around the user, endpoints, digital identities and access rights. But the “zero” part of it is where you’re removing default elements of configurations that can lead to compromise: the shares, the accesses, the privileges, so you can keep as close as possible to zero access, or zero standing privileges. After all, the most secure privilege is one that doesn’t exist. As cloud computing continues its rise, there’s growing consensus that zero trust will be the future state for security infrastructure.
ZERO TRUST PROCEEDS FROM THE FOUNDATIONAL FRAMEWORK THAT NO INDIVIDUAL, NO DEVICE, NO APPLICATION, NO THING CAN BE TRUSTED AS SECURE
Zero trust architecture has been defined in the NIST Special Publication 800-207, and the framework has already been widely adopted in the US by the Department of Defense, the banking sector, the healthcare sector and elsewhere. Global expansion is well underway and accelerating in EMEA, APAC, and beyond. We’re also likely to see zero trust grow to become the standard security model moving forward because it’s based on a strategy, not just more technology. In cloud environments, it’s not possible to ringfence every application, resource, device, or user. Digital identity defines the new perimeter. The problem is the new perimeterless environment has made managing access privileges magnitudes more critical than ever before. Here is why many in the cyber security community are looking to approaches based least privilege access, zero standing privilege, dynamic just in time permissions (JIT)and ephemeral access rights that expire automatically. Where a user previously had standing access privileges potentially extending around the clock for months at a time—or even years after that user had left the company—converting to JIT granting can compress that attack surface to several hours per month.
Rhino Security Labs has an excellent series of blogposts on the unique vulnerabilities inherent in cloud computing, specifically AWS’s S3 environment. They also outline the most important defense tactics that can be brought to bear against attackers in the cloud—specifically pointing to multi-factor authentication, automatic expiration of passwords, no standing privileges and close monitoring and auditing of access rights.
WE’RE LIKELY TO SEE THE RANSOMWARE CRIME WAVE GET WORSE BEFORE IT GETS BETTER
But the good news is that consensus is building on the strategies, tools and techniques to prevent ransomware attacks going forward. The work of implementing zero trust architecture has just begun, and there’s a long road ahead. It appears, though, that we’re headed in the right direction. If you liked this article on ransomware, why not read more our Cloud Secrets Governance whitepaper.