Navigating the New Cyber-Threat Landscape: Zero Trust Risk Measurement and Mitigation Best Practices

Cyberattacks on enterprise targets are increasing in frequency, breadth, sophistication, and severity. The real and potential costs to enterprises (in monetary, operational, brand, intellectual property, and even human terms) are significant. Yet many organizations have responded with ineffective security bandages, fatalism, or worse, complacency.

To avoid these missteps, boards of directors can continue to focus on their organizations’ threat exposure, risk measurement, risk mitigation, and attack prevention with zero trust best practices in mind. Zero trust is a framework for protecting enterprise data, applying least-privilege access controls, and effectively dissociating security from the corporate network.

The Threat Landscape

Malware comes in many forms—spyware, adware, cryptojackers, data exfiltration malware, worms—but ransomware receives the most attention. Whatever the variant, malware’s unwelcome presence arrives when an enterprise perimeter is breached and unauthorized code is planted and then activated on a compromised device. With ransomware, a hacker, presumably through some form of deceit, deposits executable code on a victim’s machine. When executed, the program “locks” data on that machine, encrypts it, and then infects connected systems.

Attacks have become more consequential, and threat actors have become more professional. The notion of the lone hacker working in a basement is no longer accurate. The cybercriminals attacking enterprises across the globe are organized and often state-sponsored. Advanced persistent threat (APT) groups have popped up in China, Russia, elsewhere in Eastern Europe, South America, North Korea, Vietnam, and other locations.

What’s driving the ransomware surge? For one thing, it’s profitable. Ransomware has become so lucrative that it’s generating new business models. Ransomware groups are even double- or triple-dipping, extorting one ransom for unlocking encrypted data, another for “not” selling that seized data on the dark web, and then profiting again… by selling that seized data on the dark web.

Ransomware is troublingly easy to deploy. It’s often said that an enterprise is only as secure as its weakest point. Hackers constantly seek out vulnerabilities in corporate networks, typically with automated programs that crawl the Internet looking for an enterprise opening. That vulnerability might be an individual employee responding to a phishing email. It could be a weak password, an exposed IP address, or an overtaxed information technology (IT) department one week behind on hardware security patches.

Cyberattacks won’t go away until business leaders act to counter threats and remove incentives.

The Inherent Risks of Legacy Architecture

Despite efforts to thwart them, threat actors continue to launch successful cyberattacks on enterprise targets. The problem isn’t one of defensive intent: IT security leaders buttress legacy security architecture, yet cannot stop the breaches. The problem is the architecture itself.

By its very design, legacy “castle-and-moat” security architecture is vulnerable to attack. In a legacy environment, every machine, mobile device, Internet-of-Things endpoint, network node, and network path represents a potentially exploitable target for hackers. Add enterprise support for remote work via virtual private networks (VPNs), and every employee becomes an individual “attackable” extension of the corporate network.

In addition, authentication can be easily compromised. Traditional systems rely on machine identification for trust-based access to an entire corporate network. Hackers can easily duplicate or spoof that ID to gain access. 

Legacy networks must connect to the open Internet, and that leaves systems, IP addresses, nodes, and more corporate resources exposed to external viewing. Recent Zscaler research found that the average corporate legacy-infrastructure environment exposes more than 250 devices, machines, and endpoints to the open Internet. This invites threat actors to attack.

Once those threat actors cross the metaphorical moat, they have the run of the castle. Corporate networks are designed for open access within a secured perimeter. If the perimeter is breached, an attacker can move laterally from one connected system to another, infecting everything along the way.

It’s been said that a hacker need only get lucky once, while vigilant IT security must always be lucky. That illustrates legacy infrastructure’s most absurd expectation: that manual cybersecurity efforts must be perfect. Always. Otherwise, adversaries will pounce. IT leaders can never make a mistake. Nor, for that matter, can employees, who must become experts in recognizing sophisticated social-engineering campaigns such as phishing or spear-phishing lures.

Zero Trust’s Impact on Enterprises and Adversaries

Colonial Pipeline Co., Equifax, Arizona Beverages—all had perimeter-based security. In response to attacks, many legacy-environment organizations shore up existing barricades. Adding locks to the front door may feel like a constructive act of defense, but it won’t slow down thieves if the windows are left open.

Instead, organizations must apply zero trust principles to remove incentives for threat adversaries. A cloud-based zero trust architecture (ZTA) connects user to resource, with no broader access granted. Connections are direct and ephemeral. In that way, a ZTA helps to eliminate the potential for unauthorized lateral movement via a corporate network, meaning that any compromise would be limited to a single endpoint.

Hackers attack what they can see: a ZTA obscures corporate systems, devices, nodes, applications, and even users, meaning nothing proprietary is ever exposed to prying eyes on the Internet. With a ZTA, a threat actor’s incentive to attack—easy-to-exploit vulnerabilities in legacy systems—is gone, and the criminal’s rationalized ransomware business model no longer makes financial sense.

How the Board Can Drive Risk Measurement and Mitigation

Boards have a mandate to review and assess enterprise risks. Cyber-risk mitigation can take the form of an audit or a security and risk assessment. Board members can engage executive leadership to evaluate the following key metrics:

• Attack volume (including frequency and source): Can the organization measure the extent to which it is being attacked? (“We’re not aware of a breach” is not a measurement.)

• Data traffic: What data (by volume, content, and encryption) travels out to and in from the open Internet?

• Attack surface exposure: What systems, nodes, devices, and endpoints are visible to the open Internet?

• Applications: What apps are used within the organization? Are all of them authorized?

• Cloud presence: What cloud services are employees using? How is proprietary data stored in the cloud? How is it secured?

Enterprises cannot passively accept insurgent cyber terrorism as an inevitability. A breach (and the subsequent operational disruption, ransom payments, or data loss) should never be viewed as an unavoidable cost of doing business. Instead, board members can and should take action to advocate for cyber-risk reduction—and zero trust can help.

Kavitha Mariappan is a seasoned go-to-market executive with a penchant for rapidly translating technology into customer-centric value, mobilizing global teams and operations, and transforming them into high-growth businesses.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.