Security specialists have long known that a single weak link in a chain is all that is needed to bring down a cyberdefense. Sometimes this comes down to an errant line of code in a hastily developed API, inadequate penetration testing, or old, unpatched, exploitable code hidden deep within a legacy system. But more often than not, it is because of the actions of one individual – a single person who clicks on a malware payload within a phishing email, or who allows an individual to physically access a workplace unchallenged, or whose work-from-home office features a Wi-Fi router that was never properly secured.
Awareness of malicious and threat actors has encouraged most organizations to rank cybersecurity ever higher in priority, but in many cases, there remains the belief that data and activities occurring inside the fortress walls are safe by virtue of their being on the inside. This, of course, is erroneous, and has given rise to the Zero Trust model, in which all activities, including those occurring within the security perimeter, are to be held to the same standard of trust, which is zero.
This is a welcome leap forward in cybersecurity and helps dispense with the notion that threat actors only attack their targets directly, when in truth, they are more likely to find a weak entry point and then move laterally across a network. But a Zero Trust protocol is still just a set of rules and procedures, and once again falls prey to human weakness in the form of errors, incompetence and – most ironically of all – trust to allow the system to fail once again.
As such, any security strategy must ensure security specialists follow a pattern of cross training and reverse role playing so all sides of the threat landscape are intimately experienced. Ben Walther is principal security engineer at Atlassian. He recommends a practice where a threat modeling exercise is hosted by one security specialist while another person shadows, and then these roles are reversed the next time the exercise is performed. Reversals can be applied not only to security people, but to developers and engineers, and even end users so that the skill set is thoroughly developed and embraced across the organization.
“Because this is a dynamic, human-focused practice, we find that it helps to observe someone and then be observed, and then get feedback,” Walther says. “That’s how you can scale up a very human-oriented, practice-based skill.” He goes on to advocate a reverse-pyramid approach, in which one person teaches a group, whose members teach a larger group, and so on.
The increased use of connected technologies, including Internet of Things and work-from-home scenarios, vastly increases an organization’s attack surface and vulnerability. Dr. Lyron Andrews, CISSP, CCSP, SSCP, agrees. As founder of Profabula, a cybersecurity professional, and a trainer and consultant with a concentration on cloud computing, he stresses the need to “think about how to protect that ubiquity – systemically, not one-on-one – through least privilege, Zero Trust access methodology. The specificity of it should be micro segmentation, Zero Trust development and Zero Trust architecture.”
Andrews highlights the relatively new phenomenon of “zoombombing,” named after the most popular of the online videoconference technologies, in which bad actors easily join meetings thanks to unprotected login data. Once there, they are able to post offensive images, disrupt the meetings and exploit the potential for even worse activity.
Although Zoom and other providers of meeting technologies were quick to fix this security hole, two key factors remain:
- The average end user trusts the technology to work in the way it is supposed to and is ignorant of every possibility of exploitation; and
- Bad actors will always go where the ubiquity is. Email and Windows have been the ubiquitous technologies for 20 years. Once new platforms become popular, they too get attacked.
Scott Gordon, CISSP-ISSMP, chief marketing officer for Pulse Secure, states: “A mobile workforce, virtualization dynamics, the adoption of cloud, and multicloud applications with IoT and everything else being introduced to what is now a perimeterless environment means organizations must be much more vigilant on verification and authorization, whether someone’s connecting within the network or outside the network. That’s really what Zero Trust is all about.”
Gordon highlights recent developments in access security threats in which malicious actors are pursuing new attack vendors such as imitating known popular applications and even corporate suppliers to obtain credentials. This can be something as simple as a forged invoice for services rendered or products delivered. The difference being, the threat actor has taken the time to learn specifics, such as account numbers, people’s names and even habits, to make the falsified correspondence effectively indistinguishable from the real one.
These activities, he says, are not casual. They are based on careful farming of data that comes from successful infiltration of a network. As opposed to simply stealing a “number” like a credit card number, they steal the relationship, and re-build it into documentation and communication that does not elicit suspicion.
He emphasizes that for Zero Trust to be an effective ally alongside trusting, human end users, “the core principle of verifying everything before granting trust will become even more vital in the months to come.” This will demand greater adoption of techniques such as multifactor authentication and blockchain-based certification.
Trust No One
Zero Trust is exceedingly difficult to establish, in applications as well as in humans. Both are prone to oversights and in the case of humans, emotional overrides. Imagine, for example, how difficult it must be for a junior employee to challenge a stranger who is standing outside the glass doors, pretending to look for their pass card. Common decency, or fear of reprisal, will spur that employee to let the stranger in, on the assumption that they work there.
These are the challenges security specialists including CISSPs must be prepared to face. Zero Trust is not just about technology and code. It is a cultural constant being made even more difficult by the chaos of the COVID-19 pandemic, and it will be up to security specialists to communicate and reinforce awareness and vigilance among humans and machines equally.
For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.
By Steve Prentice