Category: Security

Understandably, companies and organizations are embracing zero trust with the daily business pressures that have evolved over the last few years. The pandemic presented small businesses and organizations with new security considerations: remote workers with access to a much wider range of apps, new ways of working onsite, bring your own devices, cloud-based assets, and new supply chain and vendor processes. Furthermore, you may have added these changes to your network ad hoc. Now, you have an unwieldy patchwork of devices and computers at your business.

But the tweaks you put in place have also extended your network boundaries (or “perimeter”). In adding devices and computers as needed, you (and your administrators!) have added security vulnerabilities. You’ve lost track, and your problems are becoming more apparent every day. This new reality demands a new security paradigm.

What is Zero Trust?

Traditionally, your local area network requires permissions for users and computers to be verified once, who are then trusted by default, i.e., no more verification is needed. There is the old Russian proverb: “Trust, but verify.”

But if you use a zero trust security model or zero trust architecture (or “perimeterless security”), the proverb is intensified: your network must “never trust, always verify.” Zero trust requires continuous verification of user and system identities for each computer resource requested. The emphasis here is on resources rather than how your network is segmented (NIST).

While you previously may have trusted users and devices within your “corporate perimeter” or connected via a VPN, today’s complex corporate networks running under zero trust work without respect to your systems, user accounts, or the location of any of these. (Zero trust can also be applied to the CIA—confidentiality, integrity, and availability—of your data while it is accessed or managed. This access should be authenticated dynamically, and permissions should be based on the principle of least privilege.)

Wait a minute… I have to repeatedly log in now?

Despite the new authentication requirements, under zero trust security, the user is not significantly inconvenienced or aware of the security measures taking place in the background:

– If you use single sign-on (SSO), “an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems” (Wikipedia), this convenience is unaffected under zero trust.

– Multi-factor authentication (MFA) is also transparent under zero trust; users can only be required to reauthenticate from an unfamiliar device or location.

– Continuous authentication techniques, such as behavioral analysis or device health checks, may infrequently be performed in the background without disturbing the user.

– Zero trust access control policies can grant access based on user identity, roles, and permissions, but it is also usually transparent to the user.

– Trust decisions can be made in the background; if necessary, access can be restricted, generally without user involvement.

– The user’s session can also be continuously monitored without their input. Suspicious activity can result in blocked access or further user reauthentication.

For your organization, zero trust protects your data and systems by admitting only the right users and giving them access to the right data for the right reason and purpose. Zero trust can assign a risk score for every user or process recognized by their time of day, device, use of sensitive data, or level of authentication (including MFA). Risk-based vulnerability management can monitor for cybersecurity attacks, like transactional fraud.

Who’s Implementing Zero Trust?

Eighty-three percent of security and risk professionals say zero trust is an essential strategy for their organizations (Venture Beat), and as projected in 2022, eighty percent of enterprises planned to implement zero trust that year. Cloud-first zero-trust platforms have won most implementations because of the cost savings, speed, and scale they deliver over legacy systems (Venture Beat). Demand for endpoint security visibility and control grew faster than the market, leading all zero-trust priorities in 2022 (Venture Beat, https://venturebeat.com/security/zero-trust-trends-for-2022/). Now that the Biden administration has issued an executive order mandating zero trust for all governmental entities, many organizations follow suit. According to Gartner, zero-trust solutions will grow from $820 million in 2022 to $1.674 billion in 2025 (Instasafe).

How Does Zero Trust Work?

Implementing zero trust for your small to medium-sized business may require a pragmatic and scaled-down approach; you may need more money or time. Here are some suggested steps:

– First, perform an asset inventory of your network’s devices, servers, applications, and data.

– Implement the principle of least privilege to restrict user and system access.

– Implement multi-factor authentication (MFA) wherever possible.

– Use micro-segmentation to segment the network into smaller zones to limit lateral movement and contain potential threats.

– Enforce access controls for applications and data. Use access control lists (ACLs) or role-based access control (RBAC) to restrict access to specific resources.

– Use secure VPNs or Cloud Access Security Brokers (CASBs) for cloud applications to ensure all users and devices are authenticated before granting access to resources.

– Implement endpoint security measures, such as installing updates and patches, deploying anti-malware solutions, and configuring host-based firewalls.

– Set up basic logging and monitoring. Use cost-effective SIEM (Security Information and Event Management) solutions or open-source options.

– Train employees on best practices to reduce the risk of security incidents.

– Develop an incident response plan.

– Ensure that third-party vendors and contractors adhere to security best practices and align with your Zero Trust approach.

– Regularly review and update security policies and controls to keep up with security threats and adjust your security strategy.

These steps are cost and time-efficient.

Types of Zero Trust Solutions

Three ways of achieving the complicated tracking of resources and users are:
Endpoint agents.
Combined behavioral detection and machine learning.
Cloud-delivered, clientless, zero-trust platforms.

Endpoint Agents

Ivanti Neurons for Unified Endpoint Management (UEM) is an example of a self-healing endpoint solution. UEM uses AI-based undeletable agents installed on the endpoint with a firmware-embedded connection and cannot be deleted from a PC. If the self-aware agent detects a suspected or actual attack, it takes steps to thwart the intrusion. The endpoint shuts itself off, re-checks all OS and application versioning, then rebuilds itself with new software patches and firmware updates. Self-healing endpoints perform all these functions without human intervention.

Behavioral Scans and Threat Data

Microsoft Defender 365 is an example of the second type of zero-trust solution. It detects anomalies through behavioral-based scans and then uses machine learning to correlate threat data from emails, endpoints, users, and applications.

Cloud-based Zero Trust Solutions

Zscaler Zero Trust Exchange is an example of a cloud-based zero-trust solution. It provides secure access to applications, whether they are hosted in the cloud, data centers, or on-premises, by routing traffic through the Zscaler cloud platform. With the cloud option, trust is removed from the tech stack because of its liability.

You Need to Educate Your Users

While zero trust aims to be transparent, your user education should still cover the importance of MFA or how to recognize phishing attempts.

Zero Trust and Cyber Insurance

Today, it’s unreasonable not to have cyber insurance. Zero trust can aid your organization by enforcing regulations and auditing compliance. Zero trust can help give you more affordable rates for cyber insurance by providing the insurer with more information about your cyber readiness and lowering your risk by getting ahead of where the vulnerabilities and potential attackers are.

Conclusion: You Need Help Configuring Zero Trust

To configure zero trust, your administrators need the proper tools for provisioning and de-provisioning user accounts, MFA, SSO, and authentication hardware like smart cards and dongles. Your admins must be alerted to account expiration, unused VPN accounts, the reuse of passwords, the location of remote workers, patch requirements, and which apps are installed on your remote and in-house systems. Integrating your legacy systems is part of this preparation.

Zero trust is designed to provide robust security without being intrusive or an inconvenience to the user, but your small-to-medium business (SMBs) is cost-driven. You should look for a cybersecurity vendor who can assist with these measures. They should offer well-documented and secure APIs and consumption-based or subscription pricing.

While you don’t have to spend much money or encounter too much difficulty to implement zero trust, you should spend your valuable time with an expert security provider who can help you implement zero trust comprehensively and cost-effectively.

Utilities and infrastructure, government agencies, hospitals and healthcare institutions, schools, food production and distribution industries–even ferry service to Martha’s Vineyard, all have been attacked by cybercriminals using ransomware, probably now the most used kind of exploit of network systems.

“Even as we speak there are thousands of attacks on all aspects of the energy sector and the private sector generally…it’s happening all the time,” said Energy Secretary Jennifer Granholm to CNN. Continue reading “Ransomware Timeline”

A penetration test is an agreed-upon simulated, offensive cybersecurity engagement that tests for vulnerabilities in the target’s systems. The red team is the offensive team and the defenders are the blue team. The organization being tested is looking for weaknesses in their systems.  (Optionally, an organization may set up a purple team to support the engagement.)

In order to do a penetration test you need written permission with specific rules of engagement. You cannot deviate from the plan that is agreed upon. Even scanning the ports of the target system can throw up red flags for the responsible organization and can lead to legal trouble for you if not documented.

Though many red-team/blue-team exercises use in-house teams for both, an outside hacker can actually make some good money doing this. Some hackers make a career out of it. I’ve heard of a contract tester making $50,000 for one engagement; though in-house team members can make $140,000.  There’s even two certifications specifically for penetration testing, the Certified Ethical Hacker and PenTest+ certs.

Halo’s red team/blue team borrows from this concept: Spartan Showdown: Blue Team vs Red Team – YouTube

Layering security measures is called Defense in Depth. Though zero trust is the phrase of the day, defense-in-depth can be a complementary approach to security.

Preventive measures can prevent breaches of confidentiality, for example, measures such as file encryption, TLS encryption for websites, or protecting a certificate key.

Detective measures include intrusion detection/prevention systems (IDS/IPS) or other measures that alert you when there is an unauthorized intrusion on the network.

Recovery measures include backups and other measures to maintain resource availability. Whether daily, incremental, or full, you need a backup plan.

Continue reading “Defense in Depth”

No, not the Yankee security agency; the CIA Security Triad is a model organizations can use to guide policies for their cyber and information security. CIA stands for Confidentiality, Integrity, and Availability. It’s also useful during the acquisition of new technology assets and data to guide policymaking.

Confidentiality – Keeping sensitive, confidential, or private information safe from unauthorized access. It’s common to categorize sensitive data by the potential for damage if the data is released or stolen in case of a security breach. The question of who needs what kind of access to the information should be a consideration. Organizations can set access control lists (ACLs), encryption, and permissions for systems, files, and folders.

Integrity – Preventing data from deletion, tampering, or modification by an authorized or unauthorized party. This includes mistaken but authorized changes. Data at rest (stored), in transit, or in use should be protected for consistency, accuracy, and trustworthiness.

Availability – Accessing or refusing access to files, folders, and systems. The information the security measures protect and ensure should be available despite hardware failures, system upgrades, or power outages. The security measures should be consistent and provide ready accessibility by authorized parties.

The difference between tech support and cybersecurity experts lies with CIA. Tech support can help with your availability (connection), but integrity and confidentiality are usually the domains of cyber.

Note: This tutorial is for Chromium browsers, but the developer tools on other browsers are similar. Leave a question if you need help.

Just a brief introduction to this tutorial is needed. Web pages are text files that contain text and HTML. When you go to a website your browser downloads the HTML text file and you now have a copy of the page on your computer. The file also downloads copies of images, videos, and programming that are referenced inside the HTML. Each item on the page is in a box, which may be contained in other boxes and which may have boxes inside it as well. These items are called elements. With the developer tools in each browser you can edit your copy of the page to remove or change elements. If you refresh the page, it will return to the version you downloaded. Continue reading “Hacking Paywalls: You Only Thought You Needed To Subscribe”

Even a novice can research a target using publicly-available information. This is also called passive footprinting and there are numerous tools and commands to find this information: Continue reading “Using Publicly-available Information To Learn More About A Target (Passive Footprinting)”