In a remote world, a zero – trust revolution is needed
Last summer, law enforcement officials contacted both Apple and Meta, demanding customer data in “emergency data requests”. The companies complied. Unfortunately, the “officers” turned out to be hackers affiliated with a cyber-gang called “Recursion Team.”
About three years ago, the CEO of a UK – based energy company received a call from the CEO of a German parent company instructing him to wire a quarter of a million dollars to a Hungarian “supplier”. He complied. Unfortunately, the German “CEO” was a cybercrime using deepfake sound technology to destroy the other man ‘s voice.
One set of criminals was able to steal data, the other, money. And it was the cause of trust. The visitors themselves were the source of the victims’ information about which they were talking.
What is zero trust, exactly?
Zero trust is a security framework that does not rely on perimeter security. Perimeter security is the old and ubiquitous model that assumes that everyone and everything inside the company building and firewall is reliable. Security is achieved by keeping people outside the perimeter from entering.
A RA the phrase was coined by a doctoral student at the University of Stirling named Stephen Paul Marsh “zero trust” in 1994. (also known as “de-outline,” the concept has been thoroughly expanded in guidelines such as Forrester eXtended, Gartner‘s CARD and NIST 800-207.)
Perimeter security is obsolete for a number of reasons, but mainly due to the prevalence of remote work. Other reasons include: mobile computing, cloud computing and the increasing sophistication of cyberattacks, in general. And, of course, threats can come from within as well.
In other words, there is no longer any network edge – not really – and even to the extent that there is an outline, they can be overcome. Once hackers get inside the perimeter, they can move around with ease.
Zero Trust aims to do all this by requiring each user, device and application individually to pass an authentication or authorization test each time they access any component of the network or any company resources. .
Technologies are associated with zero confidence. But zero confidence itself is not technology. It is a framework and, to some extent, a mindset. We usually think of it as a mindset for network architects and security specialists. That’s a mistake; it must be the attitude of every employee.
The reason is simple: social engineering is a non – technical hack of human nature.
Why social engineering can only be hit with zero confidence
One fundamental approach is to apply zero confidence to the challenge of old and familiar social engineering attacks. Let’s say you get an email claiming to be from the bank and saying there is a problem with your account. All you have to do is click here to enter your username and password and fix the problem, he says. The right way to handle this situation (if you are not sure) is to call the bank and verify.
In a social engineering attack of any kind, the best practice is to never use the method of access given to you, but to get your own. Do not use the person contacting you as a source of information about who you are contacting. Always verify independently.
In the past, it was easy to spoof an email. We are facing an immediate future where it will be just as easy to refute live voice and video.
Apart from email spoofing, organizations can also be attacked by phishing, vishing, make-up, spear fishing, snow plowing, snowstorms, cloning phishing, whales, tabs, reverse tabs, in-session phishing, website forgery, manipulation links, hide links, typosquatting, homograph attacks, scareware, stailgating, baiting, DNS spoofing, and many more. Your zero training for employees should give you a close knowledge of all these types of attacks. Simple knowledge of the myriad of dastardly methods to lure people in to allow unauthorized access helps them understand why the answer is not trusted.
In his wonderful book 2011, “Ghost in the Wires”Post-ollhacker Kevin Mitnick he describes one of his most effective social engineering techniques: You see employees outside the building about to enter, and you just follow them through the door under the trust of someone related to him. Employees universally read that confidence as all the verification they need to keep the door open for a stranger.
When fake law enforcement officers contacted Apple and Meta, they should have leaked the details of the alleged visitors, hung up the phone, and called the agency for verification.
When someone approached that UK CEO who claimed to be the CEO of the parent company, the policy should be a return call and not a transfer of funds based on the initial call.
How to take zero confidence in social engineering
The good news is that while many companies have not implemented zero trust, or even developed a zero trust roadmap, its use against social engineering can be accepted immediately.
Find a way to authenticate each participant in audio or video meetings.
In other words, through changes in training, policy and practice, any inbound communication requires something – transferring funds, providing a password, changing a password, clicking an attachment, clicking a link, letting someone in. in the building – verified and authenticated – both the person and the way of application.
Almost every social engineering attack involves the malicious activist gaining trust from someone who has access, and then abusing that access.
The challenge of using a culture of training and security to instil a spirit of trust in all employees is that people like to trust themselves. Evil people succeed when they are told: “Let me prove you first.”
That should be the bulk of the training: Asking employees and business leaders to claim that they are not trusted. You can’t rely on people you don’t trust – you have to convince people you don’t trust.
If a senior leader sends an attachment to a sub-leader, and the sub-leader simply downloads it and opens it without an additional step of verification (say, call and ask), the leader should regard this as a violation serious on security practices.
Culturally, most companies are miles away from adopting this practice. And that’s what needs to be repeated a thousand times: Zero-trust authorization of everything is for both the trusted and the unreliable.
With so many workers now scattered between the office, at home, in other states or even in other nations, it’s time for us to make a radical reset – a zero revolution, if you will – of how we interact with each other in normal business communication. .
Copyright © 2022 IDG Communications, Inc.
In a remote world, a zero – trust revolution is needed
Source link In a remote world, a zero – trust revolution is needed
