Zero Trust Architecture: No Firewalls or VPNsAlso: Ransomware Trends; Revisiting the Travelex Cyberattack
The latest edition of the ISMG Security Report describes why firewalls and VPNs don't belong in Zero Trust design. It also discusses cybercriminals' evolving ransomware tactics and the devastating price of responding to a ransomware attack, as experienced by Travelex in 2019.
In this report, you'll hear (click on player beneath image to listen):
- Zscaler CEO Jay Chaudhry on what constitutes true Zero Trust architecture;
- Attorney Lisa Sotto of Hunton Andrews Kurth LLP describe the ransomware trends to beware;
- ISMG's Jeremy Kirk share a taster of episode 8 of "The Ransomware Files," which focuses on the ransomware attack that struck global currency exchange and remittance company Travelex on New Year's Eve 2019.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the June 16 and June 23 editions, which respectively discuss highlights of RSA Conference 2022 and how the Conti ransomware gang retooled after backing Moscow in the Russia-Ukraine war.
Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.
Anna Delaney: How to distinguish true zero trust from imposters, and the ransomware trends worth paying attention to now: These stories and more on this week's ISMG Security Report.
Hello, I'm Anna Delaney. There's a lot of confusion in the market around what constitutes zero trust architecture. And with so many vendors pushing zero trust solutions, what questions should customers be asking them to evaluate the efficacy of their offerings? This is the last question Michael Novinson, managing editor for ISMG business asked Jay Chaudhry, founder, chairman and CEO, Zscaler, at RSA Conference last month. Here's Chaudhry:
Jay Chaudhry: It is unfortunate that when a new technology becomes popular, every legacy vendor, which is worried about getting disrupted, embrace it. Zero trust architecture was created to move away from legacy firewall and VPN-based architecture. Unfortunately, every firewall and VPN company is calling themselves zero trust and some of them call themselves zero trust 2.0 and zero trust 3.0, so here is the foundational stuff. In zero trust architecture, you don't connect users to the network but to application. That's number one question to ask. If you connect to an application, not the network, there's no lateral threat movement, which means bad guys can get on the network and find all kinds of stuff. Number two is are your applications hidden behind the zero trust architecture, so they can't be seen from the intranet? If they can't be seen, they cannot be discovered and attacked. This is the opposite of firewall and VPN-centric architecture. It depends upon identity as the starting point. A policy engine, which is like a switchboard, connects the right user to write applications. It's a straightforward architecture, but it has to be built from a clean slate. It's almost like there were traditional internal combustion engine cars. They got better, but more complex, then Tesla came with an electric engine, that’s very simple and powerful. It’s a change of architecture. In the same way, security and network architecture is changing from roundtable network to zero trust, where you trust no one.
(Transition Ad: You are listening to the ISMG Security Report on ISMG Radio. ISMG - Your number one source for information security news.)
Delaney: Ransomware remains one of the biggest threats facing security leaders and organizations in 2022. And the criminals keep evolving their tactics. On a recent episode of ISMG's Proof of Concept, attorney Lisa Sotto of Hunton Andrews Kurth LLP shared the ransomware trends that businesses should be paying attention to now.
Lisa Sotto: It was a slow start to the year for the ransomware actors. So that was a surprise, but they are back in full force. There is no stopping that train. There are now reportedly more than 60 ransomware collectives and they are wreaking havoc as they have always done. We're seeing some bigger demands; the demands used to be one to five million, now we're seeing some that are 10 million and sometimes much higher than that. And they're not negotiating down as much as they used to. They used to be able to negotiate significant discounts, but now there seems to be less willingness to do that. I'll also note another disturbing trend, which is that the threat actors are now contacting third parties. So, they're not only contacting the company that has been hit, but they're also looking through the data and finding customers, or business or service providers whose data is in the mix, and they're contacting them. Of course, that increases the leverage that they have and forces the hand of the ransom party to go ahead and pay. Also note on the other side of the scale, we now have an active federal government with respect to ransomware. So, we saw the passage of the strengthening of the American Cybersecurity Act which will require critical infrastructure that is not in place yet. It will require a 72-hour notice obligation when an attack has occurred. Then when you pay ransom, you need to notify within 24 hours of doing so. We now have 24-hour reporting obligations for pipelines for surface transportation, and we have a proposed SEC rule that would require a notice within four business days to the world as a disclosure obligation.
Delaney: And finally, managing editor of security and technology Jeremy Kirk has released another fantastic episode of The Ransomware Files, which centers around the 2019 ransomware attack, which struck global currency exchange and remittance company Travelex: the storytellers of how social media, a frantic incident response and stress contributed to a nearly tragic health outcome. Here's a taster of the podcast.
Jeremy Kirk: Ransomware struck global currency exchange company Travelex on New Year's Eve 2019. Security architect Don Gibson was DJing at a friend's place when the first alerts came in.
Don Gibson: We reached out to noticing it in the evening.
Kirk: Dan's name became publicly linked with a Travelex ransomware incident and the attention was completely undesired.
Gibson: I, personally went through so much because all of a sudden there's a name to this and it's my name. I'm getting doorsteps by the press and I don't need that on top of this. I'm already in a bad place because the company I'm working for is in trouble, and I'm trying to fix it.
Kirk: Travelex was infected with the REvil ransomware which was created by one of the most prolific and profitable ransomware gangs. The attack had a vast effect on Travelex, which combined with the COVID-19 pandemic’s effects went into administration later that year. At least 1,300 people in the U.K. ended up losing their jobs. The company, however, is still around today after having completed a restructuring. For Don, that night started a turbulent period that lasted throughout the rest of the year. His story is one of how social media, a frantic incident response and stress contributed to a nearly tragic health outcome. He went from IR or incident response to the ER, the hospital’s emergency room.
Gibson: Basically, my heart started messing around.
Kirk: Travelex’ experience has left a lasting impression on him. He speaks at conferences about the importance of taking mental and physical health into account not only for sizes, but for anyone on a security team. Don himself is neurodiverse and everyone has different thresholds for stress.
Gibson: It's a tough place to be. When the brown stuff sits in the revolving objects, it's a lonely place to be. You have people in ivory towers throwing up, trying to liaise between NCSC, the police incident response teams, your boards, etc. There's a lot going on, and health quickly slips to the bottom of that list. You're running on adrenaline.
Kirk: There's more to this story in episode eight of The Ransomware Files podcast. You can check it out on Apple, Spotify and other podcasting platforms as well as on ISMG websites. For Information Security Media Group, I'm Jeremy Kirk.
Delaney: That's it from the ISMG Security Report. I am Anna Delaney. Until next time!