As a follow up on last week’s article, Russian President has ordered a ‘Special Military Operation’ in eastern Ukraine. He has warned that anyone trying to interfere with the Russian action will ‘lead to consequences you have never seen.’ There is little doubt that nations who condemn the Russian action, will present themselves as targets to Cyber-attacks.
New Zealand has called Russia’s actions, ‘A flagrant breach of fundamental international rules.‘ We may, therefore, become subject to concentrated Cyber-attacks in the near future. I spoke of three concerns last week: DDOS, lack of skilled Cyber-security staff, and Security risk identification.
However, now that the Cyber-threat levels have escalated, the attacks may become more precisely targeted. Critical infrastructure, financial organisations, military, and Government organisations, present immediate, high value objectives to a Cyber-attack. New Zealand’s supply chain may also be at risk, with ports and air terminals presenting targets for disruptive Cyber-attacks. Double ransomware attacks, where data is exfiltrated off-site and encrypted on-site have been favourite tools of Nation State actors. A new wiper malware attack has been detected in the Ukraine, corrupting files, down to the boot-loader / MBR level.
So. . . . What can we do?
This is the perfect segue into a discussion on defence tactics, specifically looking into Zero Trust Architecture.
The traditional defence strategy of Defence in Depth (DiD) with multiple layers of security mechanisms work well, up to a point. New technologies are pushing the ‘edge’ further out, away from effective DiD control. Covid is challenging IT security implementation with remote working being embraced by organisations and employees. The Internet of Things and Global Footprints have also changed the security landscape. DiD assumes a static network perimeter, with trust assumed within the network. The DiD strategy with the modern distributed network structure, has become difficult to administer, manage, and analysis is problematic.
This form of strategic security presents a juicy target to well resourced, Nation-State threat actors.
An APT set loose within the DiD network, most likely through a malicious email attachment, may remain undetected. If an employee, who is taking part the ‘great resignation,’ should ‘just’ copy your IP, there may be no record. Teleworkers connecting through RDP or VPN may not have their data encrypted by default and the transfer of information may be compromised.
Zero Trust adds to the DiD security layers, treating every device, resource and user as untrusted. The Zero Trust model assumes that every connection within your organisation’s network infrastructure is hostile. Therefore, every device and user must be authenticated before trust levels are assigned. Preferably with a Multi-Factor Authentication system technology. End users are assigned trust levels that allow only the access that is needed to fulfil their role. This embraces the concept of micro-segmentation, which allows granular security control and event logging.
Zero Trust architecture implementations present several key benefits:
- Enhances network traffic analysis
- Reduces time-to-breach detection and breach response / mitigation
- Elimination of requirement for users to remember complex passwords through the application of MFA and SSO
- Data cannot be exfiltrated outside the network
- Command and Control servers automatically blocked
- The solution vendor is responsible for monitoring, analysing, managing, troubleshooting, upgrading and patching
Zero Trust architecture, when implemented well, presents a streamlined security posture. Bringing new resources and equipment online securely is simpler, and employee onboard / offboard processes become straight forward. Zero Trust embraces end-point security, where the traffic between the user and the resource being accessed is encrypted. This is great news to organisations looking to continue encouraging teleworking staff and looking to maintain security controls.
A memorandum from the Executive Office of the President of the USA has been sent to the Heads of Executive Departments and (Federal) Agencies on the 26th January, 2022. The subject is ‘Moving the US Government Toward Zero Trust Cybersecurity Principles.’ Agencies were given 30 days to designate and identify a Zero Trust strategy implementation lead for their organisation. The memorandum requires agencies to achieve specific Zero Trust security goals by the end of fiscal year 2024. The goals are well set out in the memorandum document.
This presents a clear change in US Federal security posture towards the Zero Trust model of authenticate, verify, then trust. The memorandum is a direct response to President Biden’s executive order giving top priority to the prevention, detection, assessment and remediation of Cyber-incidents.
I think we would do well in New Zealand to peruse these documents and the directives communicated.
The strategy provides a security roadmap to adapt to the continuously changing threat environment.
Key points to take away:
- Enable MFA whenever possible
- Perform a risk assessment
- Implement and test your backup and recovery plan
Take care, stay safe.
PhD, MISDF (1st Class), MBA
Senior Cyber Security Engineer