Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Mobile

    The Ransomware Crime Wave Has Made Zero Trust Critical

    Zero trust proceeds from the foundational framework that no individual, no device, no application, no thing can be trusted as secure.

    By
    eWEEK EDITORS
    -
    July 12, 2021
    Share
    Facebook
    Twitter
    Linkedin

      The spate of ransomware attacks that have shaken the U.S. in recent weeks has generated a lot of media coverage, much of it focusing on the more sensationalistic aspects of the incidents and their fall out.

      Criminal cyberhacker gangs based in Russia. Gasoline shortages and hoarding in southeastern states in the wake of the Colonial Pipeline shut down. The traceability of cryptocurrency, or the lack thereof. Interruptions to the food supply chain after the giant beef processor JBS had to shutter multiple facilities in early June.

      All of this is newsworthy, of course. The public now is having to focus its attention on how vulnerabilities in IT systems can have serious negative effects on day-to-day life. Still, despite the media heat, one comes away from all the coverage with the impression that not a lot of light has been shed on the underlying issues with IT security. Here’s a passage from a recent article in the Washington Post covering congressional testimony from the CEO of Colonial (emphasis ours):

      The Colonial Pipeline hackers entered through the company’s IT systems… using an old login credential that was not protected by some basic industry-standard security protocols.

      From other reporting earlier in the week we’d learned that the login was password protected, but that Colonial was not using multifactor authentication as an added security step in its login processes. Presumably that’s what the reference to “basic industry-standard security” is pointing to. Which is informative enough, and all well and good. But look again at the bolded passage: an old login credential. That’s the vulnerability data point that we should all be focusing on.

      The Elephant in the Room

      The real story here is that large corporate entities controlling critically sensitive infrastructure—organizations that spend millions every year on cybersecurity—are still making fundamental missteps in their IT security strategies.

      As the Bloomberg story linked above points out, the Colonial hack did not involve phishing or other kinds of social engineering exploits, which is usually the first step in these kinds of crimes. In this case the hackers found a password for accessing Colonial’s VPN on the dark web, and then apparently surmised a username on their own, presumably an email address along the lines of jpinson@colpipe.com. Together, that username and password constituted “the old login credential.”

      The key question here is: why did an old credential still have standing access rights to the company’s VPN?

      None of the reporting we’ve seen spells this out specifically, but we think it’s safe to assume “old” means the credential was associated with an employee who had left the organization. That this individual’s standing access rights were not revoked when he or she left the company was the central cybersecurity shortcoming at issue here.

      Yes, lack of multifactor authentication was part of the problem. Likewise, Colonial might have prevented the intrusion with better, more effective identity and access management practices. But at the end of the day, this was not a situation where the organization needed to throw more money into cybersecurity technology.

      It needed to strengthen its security posture through subtraction: zero standing privileges—meaning, no one and nothing are trusted with standing access to accounts and data. By default, access rights expire automatically, and especially when an employee or contractor leaves the organization.

      The Time is Now for Zero Trust

      The idea of basing cybersecurity on a zero trust model is not a new concept, but it’s an idea whose time has arrived in a big way. Conventional security technologies and techniques—firewalls, VPNs, etc.—are based on barrier-centered approaches that posit certain IT environments can be protected with access granted only to trusted users who can enter those environments with secret credentials.

      Zero trust proceeds from the foundational framework that no individual, no device, no application, no thing can be trusted as secure.

      The concept came into focus as an approach where security is organized around the user, endpoints, digital identities and access rights. But the “zero” part of it is where you’re removing default elements of configurations that can lead to compromise: the shares, the accesses, the privileges, so you can keep as close as possible to zero access, or zero standing privileges. After all, the most secure privilege is one that doesn’t exist.

      As cloud computing continues its rise, there’s growing consensus that zero trust will be the future state for security infrastructure. Zero trust architecture has been defined in the NIST Special Publication 800-207, and the framework has already been widely adopted in the US by the Department of Defense, the banking sector, the healthcare sector and elsewhere. Global expansion is well underway and accelerating in EMEA, APAC, and beyond. We’re also likely to see zero trust grow to become the standard security model moving forward because it’s based on a strategy, not just more technology.

      In cloud environments, it’s not possible to ringfence every application, resource, device, or user. Digital identity defines the new perimeter. The problem is the new perimeter-less environment has made managing access privileges magnitudes more critical than ever before. Here is why many in the cybersecurity community are looking to approaches based least privilege access, zero standing privilege, dynamic just-in-time permissions (JIT) and ephemeral access rights that expire automatically.

      Where a user previously had standing access privileges potentially extending around the clock for months at a time—or even years after that user had left the company—converting to JIT granting can compress that attack surface to several hours per month.

      Rhino Security Labs has an excellent series of blogposts on the unique vulnerabilities inherent in cloud computing, specifically AWS’s S3 environment. They also outline the most important defense tactics that can be brought to bear against attackers in the cloud—specifically pointing to multi-factor authentication, automatic expiration of passwords, no standing privileges and close monitoring and auditing of access rights.

      We’re likely to see the ransomware crime wave get worse before it gets better. But the good news is that consensus is building on the strategies, tools and techniques to prevent these types of attacks going forward. The work of implementing zero trust architecture has just begun, and there’s a long road ahead. It appears, though, that we’re headed in the right direction.

      ABOUT THE AUTHOR: 

      Art Poghosyan is CEO of Britive

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×