20-Minute Tech Talk:

Zero Trust Starts Now!

IT Radix discusses the Zero Trust strategy for network and endpoint security. In simple terms, this strategy assumes that a network’s security is at risk 100% of the time. Affordable Zero Trust security software applications are now available for the small-to-medium business market.

This is for owners and managers looking for a higher level of security against attacks and breaches that may occur at any of their users’ endpoints regardless of their physical location. It controls access to critical systems and data while automating detection and response activities.

Watch our recorded webinar below to learn why it’s important to take a Zero Trust security strategy for your business.

Watch the replay here:

Complete transcript below:

Hello, it is 12:10. So, I’m going to go ahead and get started. Thank you for joining us today for The Future is Zero Trust: Zero Trust Starts Now and particularly in this, you know remote and hybrid work environment is an important topic that we thought it’s a little bit of an encore performance. We’ve done this before, but we are going to try to cover some new ground today. If you have any questions, you can ask them via the chat or you can raise your hand through zoom, and if you want to ask it interactively, just let us know. We have a couple folks and a few folks from IT Radix, but in particular I have Dan who is our Wizard of Oz today and he’ll unmute you and give you a chance to ask your questions. If you’d rather just say it than type it. At the very end of this, because I often forget, we’re going to be asking you for some feedback. So, I would love to get your feedback on what you thought of today or topics that you’d like to hear in the future. So, with that, I’m going to go ahead and get started.

Disney Analogy: Your Network is No Longer a Castle Surrounded by a Moat

I was in Florida not too long ago and many of you might recognize this picture. It is the Cinderella castle at Disney, and I thought it was a good representation or analogy for you know what computer networks were like many years ago. It was your castle, it was self-contained, and it had a moat around it. You know pretty much you knew who was coming in and out because it had selected entry points, Gates and so forth for you to get in and out. But as time went by like Disney, you know your network is like Disney and it has probably expanded to something like this where the perimeter has pushed out. It may not even be anywhere geographically within reach, it might be another location, it might be a person working from home, it might be a cloud application that you’re using and so that perimeter of you need to worry about has exponentially grown and evolved. Back in the early days, if you go back to the single Cinderella Castle, the wall, and the moat that was sort of the early firewalls of the castles. In the technology world, we used firewalls and the way the firewalls would work is in your network, it’s your office. We would deny everything and then just only allow what you selectively wanted to go through. It was an early implementation of zero trust architecture.

Why You Need a Zero-Trust Approach to Security

Nowadays though, with people working from home with you touching multiple systems and multiple applications, security breaches have kind of become not a question of if, but when something’s going to happen to you. You know, even Microsoft has started to move away from a perimeter-based type of an approach and they’re embracing a zero-trust model and they’re building some of that stuff into the Microsoft 365 platform. But that is not the only thing that most of our clients are using.

So, what I thought I would do is run through a couple of examples of what’s going on these days out there and sort of talk through why you need to improve and up your zero-trust game.

Attacks Via Email, Text Messages, and Web Pages

Okay, so that first thing that many of you may have experienced this, we’ve seen them come through as text message, we’ve seen them come through his emails, sometimes it’s maybe you hit a web page and then it prompts you for your Microsoft credentials, or it might pop up on your machine. Now, these are two examples, if you look super closely, one is legitimate and one is not. You know, they both obviously have the Microsoft branding, and the real question is you know if somebody’s moving quickly, or they’re not paying attention. Are they going to notice the difference between the one that’s legit and the one that’s not. So, the one that’s legit happens to be the one on the left and the one that is not the one on the right?

Well, I had a peer group that I belong to, and they shared a story where one of their folks couldn’t tell the difference between those two and they use that login screen to steal their MFA token and then they were into pretty much their entire business network. They got into the email, they got into OneDrive, SharePoint, and then their business application itself. It happened to be a group of therapists. Of course, their patients had shared lots of private confidential information with their therapists and once one of the therapists in the organization had been breached, the hackers had their way in. And then the hackers leaked it all and now this is a headline, a real headline, that we got from Wired Magazine which is tech magazine that’s out there and this was a real situation that happened.

Living-Off-the-Land Attacks

The next one that I wanted to talk a little bit more about is something called “Living-Off-the-Land Attacks.” This is an image of a security bulletin that we received. We follow a variety of sources regarding cyber news and cyber updates, and you can see this from September 14th. Living Off the Land attacks is basically where they take advantage of something it’s built into the computer or commonly used and they’re leveraging those tools to steal credentials and get access. You know you can stay persistent on your machine and run things behind the background, potentially exfiltrate your data, upload it to the Internet, things like that. So, they’re Living Off the Land, they leverage things like Dropbox, Google, Chrome, OneDrive. And the reason why they work, antivirus and can’t tell the difference between Dropbox copying a file or a bad guy using Dropbox to copy a file to the Internet. So, the same thing if you’re using some kind of application, they can’t tell the difference between what’s good and what’s bad in terms of these programs and so your traditional antivirus or your endpoint detection response isn’t necessarily going to detect this because it is something that’s built into the computer and is in a sense trusted.

So, when these things happen, the average time to actually detect and contain a breach like this can be 287 days. That’s a long time, and who knows what they’ve done in that long period of time in terms of potentially taking your data or we’ve seen invoice manipulation wire transfer information change things of that nature. So, we are encouraging everyone to take a much stronger approach.

Zero Trust is Nothing New

And really, Zero Trust has been around for a long time. You know it is nothing new, but basically you want to deny everything by default, trust nothing, and then only allow what’s necessary to run. Bear with me for one second, I’m going to hide that. So, the other thing you want to do is when you’re looking at all of this, you want to treat every user, every device, every application, even a data flow as untrusted. So to help sort of organize your thought process and to get started around this, we like to use things called frameworks. NIST is a cybersecurity framework that’s sort of generic, that cuts across many industries. Some industries have specific frameworks that they must follow whether it’s health care, accounting, financial services have them, manufacturers have them. But NIST is generic one that cuts across multiple Industries and typically, the specific industries will leverage and lay on top of the NIST framework. But, basically as you see here, it’s sort of a circular process that’s always going. You start out with identifying what’s important, who it is, what it is, what they’re trying to do, then you want to protect what’s going on and prevent.

If they do happen to get in where I mentioned that antivirus can’t detect/see it, there are now tools out there that can do ongoing monitoring that can detect, and then of course you want to respond and recover from a particular incident.

Make MFA Mandatory

So, the first thing I’m going to touch on is identifying. The first thing MFA, in our opinion, is mandatory on everything. You want to identify in multiple ways who is getting access to what? So, you want to ask the question “who you are?” You want to evaluate where your data lives, and that could be ordering office supplies, it could be accounting data, it could be client data. You want to look at where does your data lives. Sometimes, it’s going to be on a PC in your office. Sometimes, it might be on a server in your office. Sometimes, it might be in the cloud–whether it’s Dropbox, Google Drive, Microsoft 365. Sometimes it’s in your email. Sometimes that email is on somebody’s phone. So, wherever your information lives, you want to make sure you have multiple layers of authentication to get to that. So, typically, MFA is something where it uses your user ID, your password or some sort of secondary level of checking. We really like the ones well text messaging is okay, but we really prefer the ones where they do things like number matching, using Biometrics or temporary one-time passwords to get in.

Implement Conditional Access Policies

The other thing that you can do around this area is implement things called Conditional Access Policies and they can be applied to the person in addition to a device or a system. So, I’m going to remind Privileged Access Management, this also ties into who is getting into what. So what you want is to decide. Let’s say it’s Cathy. I’m trying to get into a particular program, and you want to limit me so that I’m not what’s called a “local admin” on my machine or in a system. If I’m logging in to do something that requires elevated privileges, I should either use a separate ID that gives me those elevated privileges or use something called Privileged Management Access which allows me to request access which has been given to me for a period and then taken away. So, you want to make sure that you’re restricting what people can get to, that you don’t have everybody logging in as an admin, and that you’re thinking through the process of who has access to what. So, the next thing you want to do is protect the thing.

So now you’ve validated that “Hey, yes, Cathy has the access to get into it.”

Apply Least Privileges to Your Applications

So, now what you want to do is look at WHAT am I doing. Is it an application, is it a device? Have I plugged the USB key into a machine? Am I running an application that I should be using. So, the first thing you want to do is look at your devices and, in this area, there is software out there now that can set what is allowed and what is not allowed to do on a particular device or machine. Again, you just want to allow only what’s needed. The concept here is to apply the least privileges to your applications. Let’s say we put the software on your machine, we develop a list of the software that’s on there, we run through it with you and say “yes” this, this, and this are allowed. We’ll just say Chrome, Outlook, Word, Excel are all allowed. Typical things like Microsoft Edge, Teams, things of that nature you would typically allow them. But maybe you’ve decided you don’t want to allow audio book clubs. So, we would put that on the “not allowed” list and the software that’s installed on the machine would not allow a person to execute that. But in addition to just building that “allow” list, when you build that “allow” list, it validates the list of software against the software manufactures signature, so that if somebody has tried to weaponize a version of Chrome, for example, it will compare the Chrome that you have on your machine against what Google says is the valid version of Chrome. If it is a valid version, it will allow it to execute. If it’s invalid it will block it.

Use Ring Fencing to Set Application Boundaries

And then the other thing that it can do is something called Ring Fencing which is Chrome behind the scenes. When you launch Chrome, what you don’t realize is that Chrome has the ability can do a whole bunch of things on your computer that you, the end user, never even see. So, what you want to do is, you’ve allowed Chrome, but you want to put some boundaries around what Chrome can do and that’s called Ring Fencing. So you want to Ring Fence Chrome. The only thing Chrome is allowed to do while you’re running Chrome is to allow you to browse, allow you to see a video, maybe download something, but it can’t execute some of these tools that are baked into the Windows operating system or the Mac operating system. There are things called PowerShell where it can run in the background and the user is completely unaware that this is happening. You want to put in the identity MFA everywhere you can, you want to put in the limit privileges, you want to able to grant temporary elevated privileges, and as a needed basis, you want to identify and allow only specific sets of software and then put boundaries around what that software can do. Then, in the event there’s still something that goes through, you want to always be continuously monitoring, checking, and looking to make sure that all those things and that all those parameters, nothing’s gotten bypassed.

Continuous Monitoring

So, you’re detecting and you’re hunting all the time for things called Persistent Footholds and you’re looking at the behavior of what’s going on. Anything that looks suspicious, you want to be able to alert and ideally using, it’s a combination of human and artificial intelligence tools. If you see something that looks suspicious, contain it. You want to contain the blast zone. You want to limit how far something can get into your environment, and you want to do that on a continuous basis. So, you want to be able to isolate or pull that device, if it’s a device off the network or perhaps it’s somebody logging into your Microsoft 365 environment, you want to block their login so it can go no further. These are all the types of things you want to do as part of this Zero Trust environment that you’re building.

Let’s Sum it Up

To sum up—Zero Trust—you want to identify, you want to validate and limit what the users can do, you want to allow specific applications and devices, and you want to contain what those application can do, and you want to continuously monitor and evaluate what’s going on. There are Technology Solutions that can do much of this, but we always encourage you to train your users around cybersecurity best practices.

When in doubt, “trust but verify” is one of my favorite things these days to say. If something seems a little hinky, it probably is a little hinky. Trust but verify, double check it, and make sure that it is what you think it is. You want to get all your folks thinking Zero Trust in terms of how they work and what they do in their day-to-day business operations.

If you’re ready to upgrade your cybersecurity posture, feel free to give us a call. We’d be happy to do a full cybersecurity review and talk to you about some of the things that are going on out there that maybe you don’t already have in your environment. If you’re one of our clients, you may already have some of these but maybe not all of these in your environment. And the other thing that’s going on is in October, it’s Cybersecurity Awareness month. Many of the manufacturers of these Technical Solutions are offering some specials that we can then take advantage of and pass down to you.

With that, I’m going to wrap up. I’m not sure if there’s any questions because I’ve been talking fast. But if there are any questions, now’s a good time to ask them. I do see some chats, so let me see what it says here.

Question: Could the Allowed List be set up for an application if and when it’s needed?

There’s lots of ways you can set those allowed lists; you can set it so that it’s time-of-day specific, for example. You could also… one of the common ones that we see is that some applications will try to automatically update themselves. We can control that as well as to ensure that you don’t end up with a weaponized version of something that you don’t accidentally download something that leverages these tools. But the answer is, yes.

What we do when we sit down with the client is we talk through what it is they’re using, how they’re using it, when they’re using it, where they’re using it from in terms of geographically, as well as the device that they’re using it from, and we’ve set up all those rules around that. And then the other thing, of course, is we can have MFA certainly set up on things like Microsoft 365, or some Cloud application. Some of that is a matter of what’s built into the system that you’re using. But what I encourage all our clients to do is make a list of all the stuff you use. We did it here at IT Radix. I was shocked! The list was like 120 things, and we sat there, and we went through one by one by one by one and said: “Does the vendor offer the ability to do MFA?” If they do, great, we’re going to turn it on. If they don’t, what is some kind of mitigating measure we can put in place to help protect ourselves. So, any other questions?

Signing Off

All right, with that, I’m going to sign off. Thank you for joining us and again, I would appreciate some feedback. If you’re interested in some of these tools and putting some more security measures in place, we’d love to talk with you. We got Ken, Doug, and myself on the line, and we are more than happy to speak with you about what other solutions you might want to put in place to tighten up and keep your perimeter nice and secure. Have a good day. Thanks!