Zero Trust: Best Practices for Preventing Misunderstandings and Mistakes
Zero Trust can be perplexing when it devolves into just another marketing buzzword. Let’s clarify what it really means.
It can become tedious writing about the same thing over and over again. But reading about the same thing happening time and time again is really bad for our blood pressure. A good example of this is the double-digit number of articles that have appeared here on the importance of basic security measures. Reliable patching, increasing employee awareness of IT security, network segmentation, least privilege – It might not be all that exciting or driven by artificial intelligence, but it is still unfortunately very necessary. In this case, there isn’t an exception to the rule. Without these basic security measures, you can forget about all the cool stuff with flashing lights and 42-inch monitors on the wall. However, basic security measures are ignored just as often as they are written about.
Two recent cases readily demonstrate how bad things can get, if you are not convinced already. One of these incidents happened at a University Hospital in Germany. It would hardly be worth mentioning as the world seems to have gotten used to ransomware. In any case, there are few headline reports of a company being paralyzed again somewhere due to encrypting malware. People are just paying the ransom and getting on with business. This did not work this time because the ransomware cost a patient their life. An ambulance transporting a patient in need of emergency care was diverted due to the technical situation and this duly proved too costly. In the end, the attackers backed down and revealed the decryption string. That’s hardly a happy end though. Ransomware attackers often extract data from their victims network and threaten to publish it. Online medical records are likely to be very tricky indeed in terms of GDPR requirements.
Meanwhile, the cause of the attack has been investigated. Hackers must have exploited a known vulnerability in Citrix months ago, infiltrated the network and installed backdoors there. Whether this happened before or after the vulnerability was disclosed doesn't really matter. Almost every article points out that attackers can execute ANY code and that the patch is critical. Now there are always reasons why one patch is installed and another is not. Without understanding the hospital’s IT environment, including its information security management (ISMS) policy, it is inappropriate to point fingers. But it can be safely assumed that a few of the basic precautions such as patching, network segmentation and least privilege have most likely not been optimally handled. Although this is, once again, really nothing new.
How can this keep on happening? In 2020, everyone, including every supervisory board, managing director and director, has heard about the threats posed by cybercriminals. Compliance is a huge issue, everyone is complaining about the complications it causes. There are plenty of security frameworks companies and millions of consultants companies can refer to for guidance. Everyone – every company manager, needs to take the issue seriously and provide their IT department with the expertise and resources so that something like this does not happen again. At least not for such trivial reasons. One possible reason for the why things continue to go wrong is linked to the second noteworthy incident we will discuss here. It happened quite some time ago, four years to be precise. In August 2016, Leoni was the victim of a Whaling attack, also known as BEC (Business Email Compromise) or CEO fraud. More than 40 million euros was transferred to the attackers. It seems there was a lack of security awareness among employees. Not just the unfortunate person who made the transfer. By this time, the attackers already knew everything about the internal processes for such transactions, which could hardly have been intercepted. But long before that, the attackers had to have had access to the network in order to get this information. Probably months before the attack, an employee had clicked somewhere in an email and helped the attackers to gain access and do their reconnaissance.
However, this is relevant for another reason to the University Hospital incident. Ultimately, managers are responsible for compliance and business practices. However, large companies take out so-called Directors & Officers (D&O) insurance policies for their managers, which are intended to cover cases such as CEO fraud. In this sense, managers are liable for their actions but not at an unreasonable personal cost .This could be one reason why, despite all the appeals, lectures and constant pleadings of the IT security industry, far too many companies are still exposed to the attackers. The insurance will cover it.