“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services…” – signed on 21st May 2021, Biden’s Executive Order sounds like one of our security blogs. Why has even the President of the United States started talking about multi-factor authentication (MFA) and Zero Trust?
The Colonial Pipeline Attack
The largest refined oil pipeline in the US was taken down by ransomware in May. Colonial Pipeline, which provides over 40% of the East Coast’s fuel, shut down its operations for the first time in its fifty-seven-year history as a result of the attack. Hackers obtained a password – yes, just a single password - to access a virtual private network account. Without multi-factor authentication, the hackers could breach the network using just a username and password. This is a pipeline transporting 450 million litres of fuel daily and they were forced to halt operations for 6 days because basic security hygiene had not been enforced.
Multi-factor authentication requires users to provide at least two pieces of evidence to verify their identity. For example, a password, face recognition, fingerprint, a mobile phone. Google have recently announced plans to make MFA the default for account holders to protect user accounts. Is your company prioritising its security yet? If so, are you applying a Zero Trust approach?
Where does MFA fit into Zero Trust?
Multi-factor authentication is a key step in your Zero Trust and defence-in-depth journey as it adds a layer of access security by requiring more than just a password (we are looking at you, Colonial Pipeline…). A Zero Trust journey consists of several building blocks with an aim to determine who a user is and the context in which they want access. MFA is one building block, providing proof of identity, and another is dynamic authorisation policies, which take context, such as location and time, into account. This has become essential with remote working and bring-your-own-device (BYOD).
Biden’s Executive Order describes Zero Trust Architecture (ZTA) as allowing users “full access but only to the bare minimum they need to perform their jobs” and that the ZTA security model “assumes that a breach is inevitable or has likely already occurred”. Big headlines like the Colonial Pipeline attack make it easy to forget that ransomware is prevalent for much smaller companies too. It is increasingly critical for organisations of all sizes and industries to take this approach rather than assume it will not be them.
True or False: Only large corporations with lots of money get hacked
DarkSide, the ransomware group linked to the Colonial Pipeline attack, are an organisation providing subscription-based ransomware-as-a-service software. They operate like a business, providing technical support for their clients. Affiliates at groups like DarkSide scan organisations for vulnerabilities and select the high-value ones to hack. However, not all affiliates of these groups are aiming big: there are those only looking to gain thousands rather than millions of dollars. Even small companies or “unlikely” industries, such as manufacturing, need to be aware of their status as a potential victim.
How to defend your company
Statistics from a CyberEdge Group report of 1,200 IT security professionals show that, in 2020, 62% of organisations were affected by ransomware. 67% of those who paid the ransom recovered their data, compared to 85% of those who did not pay. This means you are more likely to rescue stolen data if you do not pay ransom. Interesting statistics, but how about avoiding the ransom altogether?
The stakeholders in your organisation need to place high importance on security and a defence strategy. Your CISO, your CEO, your CFO – everyone should be talking about how to improve defences. When your organisation shifts to a prioritisation of security, you might need a trusted expert to advise you on your journey. Whatever step of the journey, organisations need to be viewing cyber security as seriously as President Biden. Get in touch today if you are concerned about your organisation and would like to start a conversation about your security journey with our expert team.