Zero Trust Security Architecture: Why is the Zero Trust Security Model important?

Endpoints represent the most significant attack surface, according to IDC, with over 70% of breaches originating on the endpoint. Organizations have a diverse mix of endpoints connected to their network, whether laptops, mobile endpoints, servers, firewall, wireless hotspots, or IoT devices. Zero-trust architecture works to ensure that users, devices and network traffic are all verified and subjected to least-privilege rules when accessing trusted resources. This way, compromised assets are limited in their scope and an attacker is prevented from moving laterally across the network.

With the rise of remote endpoints and high-profile ransomware attacks, businesses face more cybersecurity threats than ever before. Traditional network security models which assume users and computing devices within the “trusted” network environment are free from compromise and cannot secure organizations. Businesses are also now recognizing that attacks are more sophisticated and that internal networks are no longer more trustworthy than what lies outside the firewall. CyberSecOp and the security community recognized that Zero-trust security is the ultimate protection against ransomware.

Zero Trust Security Optimization

Zero Trust Network (ZTN) concept follows the mantra of never trust, always verify. Through this approach, organizations can reduce their open attack surface and adopt enhanced security capabilities beyond traditional defenses. Zero Trust enables organizations to reduce risk of their cloud and container deployments while also improving governance and compliance. Organizations can gain insight into users and devices while identifying threats and maintaining control across a network.

Traditional – manual configurations and attribute assignment, static security policies, least-function established at provisioning, proprietary and inflexible policy enforcement, manual incident response, and mitigation capability.

Advanced – some cross-solution coordination, centralized visibility, centralized identity control, policy enforcement based on cross-solution inputs and outputs, some incident response to pre-defined mitigations, some least-privilege changes based on posture assessments.

Optimal – fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, assets have dynamic least-privilege access (within thresholds), alignment with open standards for cross pillar interoperability, centralized visibility with retention for historical review

10 Ransomware Prevention Best Practices

Below are 10 best practices to help security professionals improve endpoint management:

CyberSecOp Managed Zero Trust security services were built with a new approach that creates zero-trust connections between the users and applications directly to solve this unique challenge. As a scalable, cloud-native platform, it enables digital transformation by securely connecting users,

devices, and applications anywhere, without relying on network-wide access. This platform is delivered by five key architecture attributes, unique to the CyberSecOp Managed Zero Trust Security services that together enable organizations to provide strong security and a great user experience to their employees and customers.

1. Multi-Factor Authentication (MFA) is is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication.

2. Email Security is critical because 74% of organizations in the United States experienced a successful phishing attack. Implementing email security gateway, DMARC, SPF, DKIM, stronger encryption, and MFA can reduce email compromise by over 98%.

3. CyberSecOp endpoint management solution that supports application isolation and containment technology is a form of zero-trust endpoint security. Instead of detecting or reacting to threats, it enforces controls that block and restrain harmful actions to prevent compromise. Application containment is used to block harmful file and memory actions on other apps on the endpoint. Application isolation is used to prevent other endpoint processes from altering or stealing from an isolated app or resources. This can prevent ransomware from being deployed on devices.

4. CyberSecOp endpoint management solution support Protective DNS Service (PDNS) refers to a service that provides Domain Name Service (DNS) protection (also known as DNS filtering) by blacklisting dangerous sites and filtering out unwanted content. It can also help to detect & prevent malware that uses DNS such as URL in phishing emails and hiding tunnels to communicate attackers' command and control servers.

5. CyberSecOp endpoint management solution supports bandwidth throttling so that remote endpoints can be continuously patched and secured rather than having to periodically send IT resources to remote locations. Our solution delivers patch management over the internet without requiring corporate network access. This ensures that internet-facing systems are patched in a proactive, timely manner rather than IT having to wait for these devices to visit the corporate network before they can be scanned and remediated.

6. CyberSecOp endpoint management reduces administrative overhead of endpoint management solutions to accommodate tight budgets and future growth. Our solutions support many endpoints using a single management system.

7. Consolidate endpoint management tools. Use a single tool to patch systems across Windows, Mac and variations of Unix operating systems to simplify administration, minimize the number of open network ports, and reduce the number of active agents on endpoints.

8. Validate that the endpoint management solution provides accurate, real-time endpoint data and reports. End users make changes to endpoints all the time and information that is hours or days old may not reflect a current attack surface.

9. CyberSecOp endpoint management allows administrators to apply patches that address the highest levels of risk first based on current endpoint status. This gives the biggest impact from remediation efforts.

10. Make sure the endpoint management solution enforces regulatory and corporate compliance policies on all endpoints constantly to avoid unintended drift and introduction of new vulnerabilities.

To conclude

Ransomware protection needs to go beyond detecting and blocking an initial malware infection at the email perimeter. Malware can enter your organization by other means, and cyber attacks often use the web channel to contact command and control servers and download the encryption keys necessary to complete the cyber attack.

Why cybercrimes love these tools: TOR, Dark Web, Ransomware, and Cryptocurrency

How is TOR, Dark Web, Ransomware, and Cryptocurrency connected when it comes to cybercrime? Cyber criminals use The Onion Router (TOR) in combination with a Virtual Private Network (VPN) to hide their geolocation.

This provides the threat actor with anonymity and privacy, making their connection and identity in some cases untraceable. Cyber criminals use TOR to connect to the dark web where they exchange or purchase illegal goods. This could be hacking tools, drugs, ransomware tools, or even information about your organization. Armed with TOR, VPN, hacking tools, ransomware tools, and organization information they attack organizations to infect their systems with ransomware. Threat actors can also extort a business in the case that they are able to obtain PII or other confidential data on the Dark Web.

At a very high level once the hacker infects an organization system, they encrypt the organization data with ransomware. The encryption renders all data useless. They will also look for other vectors of attack such as deleting shadow copies and other backups they can compromise. The hacker then leaves a ransom note usually demanding payment in cryptocurrency like bitcoin.

I know now you are curious like I was to know more about: TOR, Dark Web, Ransomware, and Cryptocurrency. I have taken the liberty to do just that for you below.

What is TOR?

TOR is short for The Onion Router (thus the logo) and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously. Now, it’s a non-profit organization whose main purpose is the research and development of online privacy tools.

TOR is a free software program that you load onto your computer (like a browser) that hides your IP address every time you send or request data on the Internet. The process is layered with heavy-duty encryption, which means your data is layered with privacy protection. Then there’s the route your data takes as it travels to its destination: TOR will bounce your Internet requests and data through a vast and extensive network of relays (servers) around the world. That data path is never the same because TOR uses up to 5,000 TOR relays to send your data request. Think of it as a huge network of “hidden” servers that will keep your online identity (meaning your IP address) and your location invisible. By using TOR, websites will no longer be able to track the physical location of your IP address or what you have been looking at online…and neither will any interested organizations that may want to monitor someone’s Internet activity—meaning law enforcement or government security agencies. TOR is like a proxy on steroids.

TOR has extreme value because it can work with your website browser, remote log-in applications and even with instant-messaging software. TOR is registered as a nonprofit company, so they run mainly on donations and reliance on the hope that people will become a relay to their network.

What is the Deep and Dark Web and why do you need TOR?

TOR is essential to accessing the dark web. The dark web refers to sites that are not indexed and only accessible via specialized web browsers. Significantly smaller than the tiny surface web, the dark web is considered a part of the deep web. Using our ocean and iceberg visuals, the dark web would be the bottom tip of the submerged iceberg. The dark web, however, is a very concealed portion of the deep web that few will ever interact with or even see. In other words, the deep web covers everything under the surface that's still accessible with the right software, including the dark web.

• Breaking down the construction of the dark web reveals a few key layers that make it an anonymous haven:

• No webpage indexing by surface web search engines. Google and other popular search tools cannot discover or display results for pages within the dark web. “Virtual traffic tunnels” via a randomized network infrastructure.

• Inaccessible by traditional browsers due to its unique registry operator. Also, it's further hidden by various network security measures like firewalls and encryption.

• The reputation of the dark web has often been linked to criminal intent or illegal content.

How does ransomware work?

Hackers use TOR to access organization systems to deploy ransomware, so what is ransomware you ask?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server.

The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom. Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished.

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations. Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files. 

What can you do about this? 

There are many steps you can take as an individual or an organization to reduce the threat of ransomware exploiting your assets.  

·         Exercise extreme awareness to spot a phishing or other social engineering attempts

·         Harden your devices with Anti Malware, Intrusion Prevention, Firewalls and regular patching

·         Backup all important data to an external source in combination with MFA

·         Utilize MFA on all applications that are critical

·         Perform Vulnerability and Penetration testing to identify weaknesses in your assets

 Need help with implementing the above recommendations? Want more information? Reach out to the experts at CyberSecOp and take a proactive step to preventing Ransomware and other types of malware from infecting you.