As a major shift in the global geopolitical balance, Russia’s invasion of Ukraine has many dimensions, including militaristic, political, legal, cultural, and economic.
We should add the cybersecurity dimension to this list. Particularly as it pertains to Russian attempts to conduct cyberattacks against Ukrainian institutions, nations overtly supporting Ukraine, and major organizations based in those nations.
Consider, for instance, the recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerting the world that Russia has begun deploying destructive malware attacking Ukraine-based organizations. At least two forms of this malware, WhisperGate and HermeticWiper, were designed to render targeted devices inoperable and critical services nonfunctional, not just to collect information or orchestrate a ransomware campaign.
Another CISA alert warned that cybercriminals sponsored by Russia are leveraging default multi-factor authentication (MFA) protocols in combination with a Windows print spooler vulnerability to gain access to sensitive resources, networks, and cloud storage. This particular class of attack does not appear to be limited to targets in Ukraine.
On March 21, President Biden cautioned the American public and private sectors of escalating Russian cyberattacks against the U.S. “The more Putin’s back is against the wall, the greater the severity of the tactics he may employ,” he said. “One of the tools he’s most likely to use in our view is cyberattacks.” The president urged U.S.-based organizations to “harden [their] cyber defenses immediately.”
Toward that end, we suggest IT and business leaders begin considering how their security strategies and architectures are implemented at the most basic level. The goal should be to shift from a traditional perimeter-centric approach, in which the organization is essentially a castle (or hub) to be protected from external attacks, to a modern approach in which all network connections require rigorous authentication/validation, regardless of their logical or physical origin, nature or purpose, or the entities involved.
This setup, conventionally known as a zero trust architecture, always assumes a network connection is untrustworthy until identities and access rights are formally confirmed. It goes far beyond MFA; while MFA is certainly an improvement over past access methodologies like single passwords, MFA can be compromised as well (as the second CISA alert discussed above demonstrates).
Organizations interested in “hardening their cyber defenses,” in accordance with President Biden’s advocacy – not just against potential Russian attacks, but attacks of all types originating from all sources – may find that the most efficient and effective means available lies in implementing a zero trust architecture.
Beyond considering zero trust writ large, we suggest a number of specific key principles. In our experience, best results stem from developing the security architecture to include and support the following:
- Device/location agnosticism – Since users can and will access organizational data, applications, and services from multiple devices, in multiple locations, the security strategy must apply to them all in all cases. No longer can network connections be presumed safe simply because they are operating behind a firewall, or because they involve an IT-assigned asset.
- Universal end-to-end encryption – Transactions should always leverage rigorous encryption to safeguard not only credentials but also transmitted data, network resources, and other key information that might be valuable to attackers.
- Rigorous MFA – Security certificates on all devices represent a particularly effective form of MFA, superior to any implementation that requires a password plus a code texted to a mobile device.
- Microtunnels – These limit authenticated users’ access to only necessary applications, services, and databases instead of granting access to an entire network or subnetwork and all its resources.
- Application access policies – These determine which users get access to which applications and which access privileges apply.
- Risk assessment – It’s important to establish the estimated risk involved in a given network transaction based on key variables like the user’s risk score, the user’s logical and/or physical location, the device used for access, the amount and type of data involved, and other factors.
- Inline content inspection – Using this capability, which can apply even to encrypted content in certain cases, organizations can determine what kind of content is being transmitted in a network transaction, whether it’s unusually sensitive or valuable, and what policy-driven action to take, if necessary.
- Support for external cloud services – Today, third-party cloud services from players like Google, Salesforce, Microsoft, and Amazon play a large and swiftly growing role for many everyday users. The means by which these services are supported must also be secured so attacks originating from them cannot act as a foothold for hackers or malware to expand malicious operations.
- Reduced or eliminated attack surface – By using a trusted security partner as a buffer, organizations can shield organizational resources from the public Internet. This makes them invisible to external attacks while also empowering remote users to leverage the internet as a secure and convenient means of access.
It’s an industry truism that no security strategy is perfect. Weaknesses of one type or another will always exist.
However, by implementing and integrating zero trust techniques, organizations can dramatically fortify their operations against the complete array of possible threats — hackers, malware, criminal organizations, state-sponsored organizations, and even trusted insiders abusing network privileges.
The faster and more comprehensive their implementation, the better protected organizations will be, and the better the business outcomes they’re likely to experience.
What to read next
Zero trust as a framework for fighting back against cyberwarfare
Fed agencies must empower CISOs as clock ticks to designate zero trust leads