If you’re not across Zero Trust, then first read our introduction here. It’s actually a relatively old concept that is gaining mainstream legs on now in 2020.
Here’s our 7-steps to get your business towards adopting Zero Trust
1 – Rethink the way you provide user-level access
Highlight: provide users with application-only access, not network access. Move away from traditional access models and grant users access only to those applications they need. Base the access on entitlement, user identity, device posture, authentication, and authorisation.
Virtual Private Networks (VPNs) are a thing of the past! They’re no longer capable of meeting the demands of today’s digital businesses that operate without a digital perimeter. The threat posed by VPNs is focused on their design that puts a hole in the security firewall which then provides network access. If VPN details get compromised then an attacker can gain access to a network and move laterally around a network working out a way to exploit it. Think this isn’t possible? Check out Day 12 in our 2019 “12 Days of Hackmas” series.
Network segmentation has been used in the past as a countermeasure against this type of access, however if it’s not implemented properly (such as granting “permit any” access) you still run the risks of attackers moving around your network freely – all whilst you think that the security hole is non-existent.
To protect your business and enable Zero Trust, grant users access to only those applications they need for their role.
2 – Isolate Your Network Infrastructure From the Public Internet
Highlight: isolate your internal infrastructure and applications from the public internet. If it doesn’t need to see the internet then close it off! Think it doesn’t happen? Accenture did it.
Scanning IPs for open ports is as old as… the internet. The basic idea is you pick a set of IP addresses (either targetted or random) and ask all of those IP’s for a list of open ports. If the attacker finds an open port (say, 3389 – the default Remote Desktop Protocol port) and attacker knows it can use the RDP protocol to start an attack. It’s quite simple from there: query the server at the end of the 3389 port for the version of Windows it’s using (the server will tell you which patch-level it’s on) then look up known vulnerabillities for Windows Server version XYZ and patch level ABC… then the attacker walks in the door.
If you hide your internal network from the internet then an attacker can’t see you to perform this simple and routine hack.
3 – Enable Web Application Firewalls (WAF) to protect internal applications
Highlight: Firewalls at the perimeter are not enough. Use WAFs to protect internal applications and the data behind them from zombie machine attacks.
A cyber attack doesn’t always have to be a one-target event. Cyber criminals now seek out specific users with desirable senioroty, skill sets and access levels then launch attacks via emails, social media, SMS and more to catch their target’s credentials. Once those credentials are stolen, the attacker can launch an attack on an internal application thought to be safe merely because it’s not publicly accessible.
The victim is often unaware that their computer has been launching attacks as a “zombie device” and the attacks can go unnoticed if security teams focus their attention on external threats only.
Cybercriminals will target a device, turn it into a zombie machine, and use it to attack applications that are thought to be safe behind a firewall.
4- Implement Identity, Authentication and Authorisation first before providing access
Highlight: Single factor authentication (username & password) is no longer reliable as too many people re-use their username/password combination. Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are key technologies to circumvent credential theft.
Usernames and passwords really don’t work that well in isolation. It’s entirely possible to guess someone’s password and a system has no way of verifying if the user is who they say they are. Password reuse is crippling businesses at the moment and users are confused: how are they meant to remember so many passwords?!
Multi-factor authentication stops many attackers in their tracks, because even with stolen credentials it’s highly unlikely that they have also broken into the victim’s mobile phone. Mobile phone’s are the most common form of device to use for MFA, with systems like the Google & Microsoft authenticator apps used in many applications.
Single Sign-On bonds systems together, meaning that once a user is authenticated and authorised through MFA, SSO enables users to log into all applications with one set of credentials. This makes life a lot easier for the user and for system administrators. When a user leaves only one set of credentials needs to be deactivated, rather than logging into multiple systems to turn off access and potentially forgetting a system.
Multi-factor authentication is a must. Weak credentials, along with the reuse of usernames and passwords across applications, significantly increase an enterprise’s attack surface.
5- Use easy-to-deploy technology as a bare minimum
Highlight: there’s more than antivirus at your disposal to tighten your security. Anti-malware is often overlooked as is DNS-based protection.
Cybersecurity is a puzzle that’s similar to overlapping cross stitching. Whilst organisations might have firewalls, secure web gateways, sandboxes, intrusion prevention systems, and endpoint anti-virus deployed, businesses are still falling victim to phishing and malware attacks.
DNS is often overlooked as a system to secure and many systems and tools exist to help protect again DNS-based data exfiltration.
Enterprises should leverage the DNS protocol as a security control point to help detect and stop cyberattacks early in the kill chain.
6 – Monitor incoming and outgoing internet traffic
Highlight: what’s the point of having all the latest technologies if nobody’s watching? Auditing and confirming all activity is something companies need to commit to rather than just allowing traffic to move around.
The core tenet of Zero Trust is that the external and internal environments must be considered hostile at all times. All activity must be monitored, not blindly allowed, which requires visibility into what’s happening on the network at any one time. This also requires intelligence to make comparisons between different traffic types.
All internal and external traffic must be assessed to ensure that the target and destination are known as trusted rather than malicious or unacceptable. Suspicious behaviour must also be monitored on the network such as communication with a command and control server or data export, with alerts being sent immediately. What’s the point of a 2am alert if nobody is watching? A 24×7 service is required to listen and react.
7 – Integrate Security Information and Event Management (SIEM)
Highlight: threat and event data requires human intervention to investigate suspicious activity.
SIEM monitors threats and provides real-time security alerts. SIEM combines the two systems of interpretation and storage of logs and reporting in order to provide fast analysis and identification of security events in real time.
Quickly detecting and identifying security events is just one of the many features that makes SIEM, an excellent tool for businesses and IT departments. Some of the potential benefits of SIEM as a service include:
- Increased efficiency
- Preventing potential security breaches
- Reducing the impact of security events
- Saving money
- Better reporting, log collection, analysis and retention
- IT compliance
Zero Trust explained in 60 seconds