Imagine you are getting ready to commit a bank heist. You dress up in black and put on your Richard Nixon mask. You approach an area in the side ally, at night, where surveillance cameras don’t have a visual on a window. You grab your circle glass cutter and create an entrance. By stepping in, you have breached the bank. Glory and fortune are within your fingertips.
Reality is about to hit like a ton of bricks. Banks protect their assets by using a layered defense and the least privilege principal. Layers are often vaults within vaults. The area where tellers sit is more secure than the lobby, and the vault is somewhere behind the tellers. Least privilege employees only have access to the drawers, files and rooms necessary for their job. To prove identity, two keys from two different employees are needed to gain entry to the vault.
We have broken into a conference room and now it is time to steal. There are three left over bottles of water, a can of coke and some note pads with logos on them. Not sure this is the big score but let’s continue on. We leave this room and are in the lobby. There are tons of free pens, deposit slips and some office chairs. We take a pen and move on by trying to jump over the teller window wall. There are more chairs, notepads, pens and deposit slips.
Past the teller stations is the door of the vault – riches to be had once inside. It isn’t as easy to break open like in the movies because it has a complex lock. It is time to make a decision. First, you realize robbing a bank is super hard and that alarms are going off. So, you can keep trying and likely get caught or run. By running you can find an easier target. Likely, we can steal something of more value than three bottles of water, a can of coke and some free pens.
What does this have to do with Ransomware?
Ransomware is a breach where hackers break into a network. Find files critical to a business and encrypt them. The hacker finishes the breach by selling the victim a decryption key for a sum of money. This is a hot market and there are many tools to prevent these attacks. These tools are great and I’m an advocate for using them. They will not stop 100% of all attacks. You must start with a strong foundation of security.
Two fundamental security controls, least privilege access and multi-factor authentication are the first step. These are well documented in SANS CRC 20. They are referenced in regulations such as PCI, SOX, NIST, NERC… Unfortunately, these controls are often an afterthought and point of failure within security audits.
In the failed bank heist, a layered defense zone along with least privilege defends the bank. In a physical security scenario this makes perfect sense — we see this used every day. These concepts apply when building a secure network to protect from attacks like ransomware.
Hackers start with the easiest point of entry point. Instead of a glass window, they target a username and password. Verizon’s 2016 Data Breach Investigations Report states, 63% of breaches involved weak, stolen or default passwords. Once inside, a hacker tries to gain access to the main vault which is a business critical data store.
The bank instituted security zones limiting how much access a person has between areas. A hacker breaks in with privileged user account to gain access to an entire server. These could be accounts like network admin, a VP account or local domain account. Much like the bank lobby is not open to the bank vault; a user should not have full access to a server. To solve, enforce least privilege access. Give only the level of access necessary for a user’s job function. If a hacker breaks in, they only have a limited set of commands to execute. Like breaking into the lobby or a single safe deposit box; there is not a ton of value.
To secure who has access, multi-factor authentication is needed. This proves the identity of the person trying to gain entry. During the bank heist we mentioned using two keys to enter the vault. This gives the greatest possibility of proving the identity of who is trying to enter. In the digital world, multi-factor authentication accomplishes this. An example is sending a text or push notification to the account owner’s cell phone and requiring a response before granting access. This blocks the hacker from using a weak or stolen credential. Without physical possession of the cell phone, access is denied.
Least privilege access and multi-factor authentication make it difficult to breach a network or do much if entry is made. This will in no way stop hackers from trying, just like robbers will always try to break into banks. It will make entry hard through the use of basic and fundamental security controls. Giving up and moving on becomes a better and easier alternative. Advanced security tools are still needed but sound fundamentals reduce risk and decrease the likelihood of future attacks. Least privileged access and multi-factor authentication should be the first steps to build or re-build a secure network.
Learn more about multi-factor authentication across your enterprise here.