The corporate world’s approach to cyber security is undergoing a complete rethink, explains ethical hacker Rik Ferguson
The corporate world’s approach to cyber security is undergoing a complete rethink in the face of an increasingly complex and dangerous threat landscape. This is according to Rik Ferguson, ethical hacker and vice president of Security Research at IT security firm Trend Micro.
In a coffee chat with Swiss Re Corporate Solutions’ CEO Andreas Berger and EMEA CEO Fred Kleiterp during Corporate Resilience Days, Ferguson said the time for “zero trust” architecture was upon us. This is due to a perfect storm, including the intensification of ransomware epidemic, vulnerabilities introduced by new working environments and expansion of attack vectors via new technologies, including 5G.
Large analyst companies such as Gartner and Forrester are urging enterprises to adopt zero trust approaches, Ferguson explained. “They are saying our traditional approach to security is fundamentally no longer fit for purpose and we have to change the way we do things.”
Zero trust, Ferguson explained, is exactly as it sounds. “It is about eliminating all trust. What it means is you are continuously authenticating and checking someone’s rights of access and rights to carry out actions on data and systems on an ongoing basis.”
Organisations cannot simply go out and buy an off-the-shelf “zero trust” security product. Instead, they must develop their own architecture based on those principles.
AI is essential in order to dynamically authenticate each and every user in a world where employees may be working remotely, on a multitude of different devices whilst at the same time requiring access to company systems and data.
“You have to take all those data sources and correlate between them and make intelligent choices on access. It’s a huge area of research and development and nobody yet is implementing it 100%, or even 50%,” said Ferguson. But they need to be, he insisted.
“The amount of data is growing exponentially faster and the only thing that will solve that problem is AI. It is a fundamental part of forward-looking security infrastructure.”
At the same time, firms should get back to basics, he said. Principles of “least privilege” and “need to know” can go a long way to improving security. This is where staff are only granted access to the data they need and are not permitted to change that information unless it is part of their job description.
Not if, but when
Ferguson explained how the ransomware threat had evolved in such a short space of time, resulting in double, triple and sometimes even quadruple extortion from cybercriminals who are always one step ahead.
It is very difficult to use traditional security measures to maintain resilience against such audacious attacks. He used the example of meat giant JBS in which the firm paid out a massive $11m to a ransomware gang.
“By the time they paid the ransom they had access to most of their systems and most of their data had been restored,” he said. “The leverage that worked on them was the threat of exposure of the data that had been stolen, and that wasn’t going to go away [unless they paid the ransom].”
In addition to a rich and evolving threat landscape, 5G will dramatically increase the attack surface, given that everything will have its own connection. This compounds new and emerging cyber risks.
Ferguson used the example of a smart city where scenario analysis is likely to consider the potential for smart lampposts to be compromised and used in a distributed denial of service (DDoS) attack. “But other things are going to be happening outside of your threat model,” he said. “You probably never thought, ‘my lampposts might be used to dial premium rate numbers’.”
“As we adopt these new technologies our threat model has to change and we have to be cognisant of what we don’t know, or what we don’t expect, and incorporate that into our models.”
There used to be an assumption that only nation state actors had the capability and resources to compromise your network if they chose. But this perception has changed. When cybercriminals are able to demand $11m in ransom from a single victim, it shows the level of sophistication and resources that companies are up against, Ferguson warned.
Faced with such a threat, corporates have to up their game
“It is absolutely critical that you have the capability to recognise when a breach has happened, extremely rapidly, to mitigate the threats of that breach and carry out a thorough and effective investigation to identify ‘patient zero’,” he explained.
“You need to know, how did it get into your environment in the first place and identify the vulnerability that was exposed. Because you must close down those routes into your network.”