Let’s travel together.

To Fend Off Ransomware Attacks, Stop Permissions Sprawl

Cybersecurity teams have been grappling with a whirlwind of shields-up alerts and high-profile breaches over the last several months. Between daily warnings from the White House, FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the declaration from President Biden that the Russian government was exploring options for “potential cyber attacks,” plus breaches affecting Nvidia, Microsoft and Okta, cyber professionals today are on the highest alert against growing threats looming overhead. It’s led to Biden’s plans to increase cybersecurity funding for civilian government agencies by 11 percent from last year and has emphasized the current vulnerabilities still plaguing the nation today.

But as the U.S. addresses this and bolsters its defenses, it will be especially important that not just those at the federal level, but also the state and local levels, take these threats seriously and ensure proper precautions are in place that protect governments from growing attacks.

Over the years, cities like Atlanta, Baltimore, New Orleans and others have succumbed to ransomware attacks that resulted in stolen data, pushed essential services offline and cost millions of dollars paid in ransoms. Others have fallen victim to more sinister and life-threatening motives; case in point: a Florida incident where a group attempted to poison the water supply by remotely tampering with the treatment chemicals.

Whatever the reason — be it access to intelligence, strategic interruptions to critical functions and economic drivers, or straight financial gain — state and local governments are often viewed as “soft” targets for malicious actors to exploit and therefore are primed for cyber warfare including ransomware, malware and spear phishing. It’s also no secret why these attacks have and continue to occur: Often reliant on legacy applications and systems dating back 40-plus years, state and local government technology is wrought with vulnerabilities that give plenty of access points for cyber criminals to probe for entry. Not to mention that the majority are up against tight resources, lack of technical knowledge and budget constraints that limit their abilities to improve and innovate their IT security and fix these issues quickly and effectively.

According to SolarWinds, external threats now overshadow internal ones as the greatest concern for the public sector overall for the first time in five years, and this becomes even more plausible today as current events unfold across the world.

More and more government officials have started to drive real action to ignite change against this. Colorado Gov. Jared Polis set a bill in motion last summer that would create a cyber-focused council and would increase their security measures overall. New York Gov. Kathy Hochul announced that the state would beef up its cyber defenses in anticipation of possible cyber attacks, especially to help protect the financial, health care, energy and transportation industries that make New York such an attractive target to foreign adversaries. This included a $62 million fund, nearly double the amount allocated last year. And other states have or will continue to follow suit.

Although these moves are certainly solid steps in the right direction to fortify cyber protections, it will be especially critical for any state or local organization here on out to ensure their funds and efforts prioritize prevention initiatives to significantly strengthen their security postures altogether.

As part of this, one of the biggest factors that leaders need to consider and address is that their unprotected attack surfaces are currently most vulnerable to breaches. The majority of attacks today leverage privilege (or admin) account sprawl to get their toehold on any system. From there, it’s a cinch for hackers to elevate their privileges and move laterally to find the “crown jewels” or key information within the networks.

Lateral movement — or the movement from one system to another using compromised administrator credentials — is typically difficult to detect because it blends in as normal network traffic and due to implicit trust between peer systems that share the same admin accounts. It’s why it’s the culprit of more than 74 percent of breaches today and was the reason for the massive cyber attack that took down the Ukrainian government’s websites. But it is preventable, so long as organizations have the right frameworks in place to stop it.

To do so, government security leaders must assess their privilege sprawl, determining who has “standing privilege,” or 24/7/365 access to networks. While this might seem like a headache to potentially eliminate, it gives attackers an easy way to compromise credentials of not just one end user, but an entire IT staff within minutes, if not seconds.

Instead of standing privileged access, “just in time” access should be implemented. Bolstered by multifactor authentication (MFA), an organization can now selectively elevate privileges to the specific system that requires attention, only when the administration is needed, and for an allotted amount of time necessary to complete the task. This is a simple, elegant way of stopping lateral movement should a breach occur, all without causing friction for legitimate administrators.

While defensive cybersecurity tactics are undoubtedly key to mitigating the impact of an attack, any organization that has yet to address their large attack surface due to standing privileges is at serious risk and it will only be a matter of time before their systems are compromised, whether due to the geopolitical tensions of today or from another event in the future. By addressing privilege sprawl head on, state, local and even federal agencies across the board can be better positioned to avoid disaster if and when the attacker strikes.

Tim Keeler is co-founder and CEO of Remediant and a trusted security adviser who helps defend public and private organizations from corporate espionage attacks via state-sponsored agencies and organized cyber crime groups. Prior to Remediant, Tim led the security incident response team at Genentech and Roche, and was a security consultant for organizations like UCSF and Gilead Sciences. Tim holds U.S. Department of Defense Level 3 8750 IAT and 8750 IAM Management certifications; Computer Hacking Forensic Investigator (CHFI) from EC Council and a certification as a Certified Computer Forensics Examiner (CCFE) from IACRB.

Comments are closed.