Zero Trust doesn’t have to be a heavy lift

Zero Trust is very effective. And it’s recommended by pretty much every agency in the world right now as the only way we can fight against organized cybercrime and nation-states.

Organizations should adopt zero-trust architectures that provide applications, users and services with the absolute minimum level of access needed to carry out job functions.

Applications and programs running on a device typically have access to every piece of data the user has access to even if the user isn’t a local administrator. Taking trust away from users, applications and networks is the only way businesses can prevent or minimize damage in the event of a cyberattack.

Our solution tested about 90 pieces of ransomware and found that none of them needed local admin privileges to run and all were able to see the data and network shares that users could view. The people trying to exploit these vulnerabilities aren’t schoolyard bullies anymore, They are big, organized organizations, and they don’t care if you’ve only got 10 employees … They will go after you for your money because as long as you have money in your bank account, or your customers have money, they will attack your systems, and they do that every day.

Zero trust needs to be applied comprehensively across an organization from entry-level employees to the CEO if it’s going to be effective. For instance, if an organization’s CEO never runs payroll, then he or she shouldn’t have access to payroll data. Implementing least privilege policies minimizes the amount of damage that can be inflicted during a cyberattack. At an application level, this means that organizations should block everything by default and only allow what the company needs to run.

Businesses can roll out an agent to block applications, learn what’s in their systems and put a set of policies in place that determines how specific applications are treated. Given that there are thousands of vulnerable applications out there, it’s best to block by default. If you block everything and allow only what you need, you’re in a far better position than those who are looking at everything to determine if it’s bad, Blocking everything doesn’t have to be difficult.

Organizations can reduce trust even further by embracing ringfencing, which limits the ability of applications to communicate with one another if there’s no legitimate business purpose for them to do so. For instance, a user might need to run both Microsoft Office and PowerShell on their computer, but there’s no legitimate reason Microsoft Office would ever need to talk with PowerShell.

Ringfencing is very effective in stopping Office vulnerabilities from calling PowerShell and also stopped SolarWinds Orion from reaching out to malicious sites after the Russian foreign intelligence service (SVR) exploited a flaw in the network monitoring tool. The SolarWinds vulnerability needed to get instructions from an Amazon Web Services server to execute, but ringfencing stopped Orion from contacting the AWS server.

If or when an application gets compromised, the amount of damage caused is massively limited and potentially completely foiled, taking away applications’ abilities to do things can stop cyber breaches even if you don’t think about how.  Organizations often allow every application to access a user’s files or network share even though only a very small number of applications actually need this level of access. For instance, PowerShell rarely needs to see network shares, and in the select cases it does, it’s usually a single share for a single purpose. It’s therefore best to take away the ability of applications to access data when it’s not needed. Zero Trust is not, Do I trust QuickBooks or not? Zero Trust asks does QuickBooks need to see anything but the QuickBooks database? Then when it utimately get compromised, your cyber damage is limited.

Even though malware and ransomware don’t need local admin rights to run, unnecessary admin permissions should still be taken away to minimize the damage users can cause. A user with admin privileges can break the operating system, mess around with the kernel and change things at the operating system level. A user might need admin permissions to update their QuickBooks once a month, but that can also be accomplished by implementing elevation that allows only QuickBooks to run as an admin while being ringfenced so that it can’t talk to other applications. This approach ensures a user has admin-level access only to QuickBooks and not other applications like Office and PowerShell where the stakes are higher. Taking away these privileges is going to harden your environment.

Interested in learning more about how Healthcare Practice IT can help you stay better protected against ransomware?

Why not schedule some time with Andy Roe, www.calendly.com/AndyRoe