September 28, 2020

The Human Element of Zero Trust

By Steve Prentice

The Awareness of Malicious and Threat Actors Security specialists have long known that a single weak link in a chain is all that is needed to bring down a cyberdefense. Sometimes this comes down to an errant line of code in a hastily developed API, inadequate penetration testing, or old, unpatched, exploitable code hidden deep […]

The Awareness of Malicious and Threat Actors

Security specialists have long known that a single weak link in a chain is all that is needed to bring down a cyberdefense. Sometimes this comes down to an errant line of code in a hastily developed API, inadequate penetration testing, or old, unpatched, exploitable code hidden deep within a legacy system. But more often than not, it is because of the actions of one individual – a single person who clicks on a malware payload within a phishing email, or who allows an individual to physically access a workplace unchallenged, or whose work-from-home office features a Wi-Fi router that was never properly secured.

Awareness of malicious and threat actors has encouraged most organizations to rank cybersecurity ever higher in priority, but in many cases, there remains the belief that data and activities occurring inside the fortress walls are safe by virtue of their being on the inside. This, of course, is erroneous, and has given rise to the Zero Trust model, in which all activities, including those occurring within the security perimeter, are to be held to the same standard of trust, which is zero.

Threat Security

This is a welcome leap forward in cybersecurity and helps dispense with the notion that threat actors only attack their targets directly, when in truth, they are more likely to find a weak entry point and then move laterally across a network. But a Zero Trust protocol is still just a set of rules and procedures, and once again falls prey to human weakness in the form of errors, incompetence and – most ironically of all – trust to allow the system to fail once again.

As such, any security strategy must ensure security specialists follow a pattern of cross training and reverse role playing so all sides of the threat landscape are intimately experienced. Ben Walther is principal security engineer at Atlassian. He recommends a practice where a threat modeling exercise is hosted by one security specialist while another person shadows, and then these roles are reversed the next time the exercise is performed. Reversals can be applied not only to security people, but to developers and engineers, and even end users so that the skill set is thoroughly developed and embraced across the organization.

Because this is a dynamic, human-focused practice, we find that it helps to observe someone and then be observed, and then get feedback,” Walther says. “That’s how you can scale up a very human-oriented, practice-based skill.” He goes on to advocate a reverse-pyramid approach, in which one person teaches a group, whose members teach a larger group, and so on.

The increased use of connected technologies, including Internet of Things and work-from-home scenarios, vastly increases an organization’s attack surface and vulnerability. Dr. Lyron Andrews, CISSP, CCSP, SSCP, agrees. As founder of Profabula, a cybersecurity professional, and a trainer and consultant with a concentration on cloud computing, he stresses the need to “think about how to protect that ubiquity – systemically, not one-on-one – through least privilege, Zero Trust access methodology. The specificity of it should be micro segmentation, Zero Trust development and Zero Trust architecture.”

Andrews highlights the relatively new phenomenon of “zoombombing,” named after the most popular of the online videoconference technologies, in which bad actors easily join meetings thanks to unprotected login data. Once there, they are able to post offensive images, disrupt the meetings and exploit the potential for even worse activity.

Although Zoom and other providers of meeting technologies were quick to fix this security hole, two key factors remain:

  • The average end user trusts the technology to work in the way it is supposed to and is ignorant of every possibility of exploitation; and
  • Bad actors will always go where the ubiquity is. Email and Windows have been the ubiquitous technologies for 20 years. Once new platforms become popular, they too get attacked.

Scott Gordon, CISSP-ISSMP, chief marketing officer for Pulse Secure, states: “A mobile workforce, virtualization dynamics, the adoption of cloud, and multicloud applications with IoT and everything else being introduced to what is now a perimeterless environment means organizations must be much more vigilant on verification and authorization, whether someone’s connecting within the network or outside the network. That’s really what Zero Trust is all about.

Gordon highlights recent developments in access security threats in which malicious actors are pursuing new attack vendors such as imitating known popular applications and even corporate suppliers to obtain credentials. This can be something as simple as a forged invoice for services rendered or products delivered. The difference being, the threat actor has taken the time to learn specifics, such as account numbers, people’s names and even habits, to make the falsified correspondence effectively indistinguishable from the real one.

These activities, he says, are not casual. They are based on careful farming of data that comes from successful infiltration of a network. As opposed to simply stealing a “number” like a credit card number, they steal the relationship, and re-build it into documentation and communication that does not elicit suspicion.

He emphasizes that for Zero Trust to be an effective ally alongside trusting, human end users, “the core principle of verifying everything before granting trust will become even more vital in the months to come.” This will demand greater adoption of techniques such as multifactor authentication and blockchain-based certification.

Trust No One

Zero Trust is exceedingly difficult to establish, in applications as well as in humans. Both are prone to oversights and in the case of humans, emotional overrides. Imagine, for example, how difficult it must be for a junior employee to challenge a stranger who is standing outside the glass doors, pretending to look for their pass card. Common decency, or fear of reprisal, will spur that employee to let the stranger in, on the assumption that they work there.

These are the challenges security specialists including CISSPs must be prepared to face. Zero Trust is not just about technology and code. It is a cultural constant being made even more difficult by the chaos of the COVID-19 pandemic, and it will be up to security specialists to communicate and reinforce awareness and vigilance among humans and machines equally.

For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.

A.I. is Not All It’s Cracked Up to Be…At Least Not Yet!

Exploring AI’s Potential: The Gap Between Aspiration and Reality Recently Samsung releases its new Galaxy [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more
Jeff DeVerter

Charting the Course: An Interview with Rackspace’s Jeff DeVerter on AI and Cloud Innovation

Rackspace’s Jeff DeVerter on AI & Cloud Innovation In an insightful conversation with CloudTweaks, Jeff [...]
Read more
Metasploit-Penetration-Testing-Software-Pen-Testing-Security

Leading Cloud Vulnerability Scanners

Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn’t help with [...]
Read more
Steve Prentice

Episode 19: Why AWS Needs to Become Opinionated about FinOps

On today’s episode of the CloudTweaks podcast, Steve Prentice chats with Rahul Subramaniam, CEO at CloudFix [...]
Read more

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more

SPONSORS

Interviews and Thought Leadership

Srini Kalapala

Driving Growth: Srini Kalapala Discusses Verizon’s Network APIs

Welcome to our interview with Srini Kalapala, Senior VP of Technology and Product Development at Verizon. Today, we explore how Verizon’s network APIs are reshaping global developer landscapes and enhancing [...]
Read more
Randy

Karen Buffo, CMO of MixMode, on the Rise of AI in Safeguarding Digital Assets

Welcome to our Q&A session with Karen Buffo, CMO of MixMode, hosted by CloudTweaks. Today, we’ll explore the profound impact of generative Artificial Intelligence (AI) on cybersecurity. As AI takes [...]
Read more

Exploring SaaS Directories: The Path to Optimal Software Selection

Exploring the Landscape of SaaS Directories SaaS directories are vital in today’s digital age, serving as key resources for businesses [...]
Read more

Embracing Governance to Navigate 2024’s Tech Trends

Mastering Governance Strategies for Success The start of a new year is a fitting time for goal-setting, and IT managers [...]
Read more

How AI Machine Learning Is Enhancing Customer Experience Across Industries

Elevating Customer Satisfaction: AI’s Impact in Every Sector Recent years have witnessed an incredible transformational leap with regard to Artificial [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.