Zero Trust Starts Now!
IT Radix discusses the Zero Trust strategy for network and endpoint security. In simple terms, this strategy assumes that a network’s security is at risk 100% of the time. Affordable Zero Trust security software applications are now available for the small-to-medium business market.
This is for owners and managers looking for a higher level of security against attacks and breaches that may occur at any of their users’ endpoints regardless of their physical location. It controls access to critical systems and data while automating detection and response activities.
Watch our recorded webinar below to learn why it’s important to take a Zero Trust security strategy for your business.
Watch the replay here:
Complete transcript below:
Disney Analogy: Your Network is No Longer a Castle Surrounded by a Moat
Why You Need a Zero-Trust Approach to Security
Nowadays though, with people working from home with you touching multiple systems and multiple applications, security breaches have kind of become not a question of if, but when something’s going to happen to you. You know, even Microsoft has started to move away from a perimeter-based type of an approach and they’re embracing a zero-trust model and they’re building some of that stuff into the Microsoft 365 platform. But that is not the only thing that most of our clients are using.
So, what I thought I would do is run through a couple of examples of what’s going on these days out there and sort of talk through why you need to improve and up your zero-trust game.
Attacks Via Email, Text Messages, and Web Pages
Okay, so that first thing that many of you may have experienced this, we’ve seen them come through as text message, we’ve seen them come through his emails, sometimes it’s maybe you hit a web page and then it prompts you for your Microsoft credentials, or it might pop up on your machine. Now, these are two examples, if you look super closely, one is legitimate and one is not. You know, they both obviously have the Microsoft branding, and the real question is you know if somebody’s moving quickly, or they’re not paying attention. Are they going to notice the difference between the one that’s legit and the one that’s not. So, the one that’s legit happens to be the one on the left and the one that is not the one on the right?
Well, I had a peer group that I belong to, and they shared a story where one of their folks couldn’t tell the difference between those two and they use that login screen to steal their MFA token and then they were into pretty much their entire business network. They got into the email, they got into OneDrive, SharePoint, and then their business application itself. It happened to be a group of therapists. Of course, their patients had shared lots of private confidential information with their therapists and once one of the therapists in the organization had been breached, the hackers had their way in. And then the hackers leaked it all and now this is a headline, a real headline, that we got from Wired Magazine which is tech magazine that’s out there and this was a real situation that happened.
Living-Off-the-Land Attacks
The next one that I wanted to talk a little bit more about is something called “Living-Off-the-Land Attacks.” This is an image of a security bulletin that we received. We follow a variety of sources regarding cyber news and cyber updates, and you can see this from September 14th. Living Off the Land attacks is basically where they take advantage of something it’s built into the computer or commonly used and they’re leveraging those tools to steal credentials and get access. You know you can stay persistent on your machine and run things behind the background, potentially exfiltrate your data, upload it to the Internet, things like that. So, they’re Living Off the Land, they leverage things like Dropbox, Google, Chrome, OneDrive. And the reason why they work, antivirus and can’t tell the difference between Dropbox copying a file or a bad guy using Dropbox to copy a file to the Internet. So, the same thing if you’re using some kind of application, they can’t tell the difference between what’s good and what’s bad in terms of these programs and so your traditional antivirus or your endpoint detection response isn’t necessarily going to detect this because it is something that’s built into the computer and is in a sense trusted.
So, when these things happen, the average time to actually detect and contain a breach like this can be 287 days. That’s a long time, and who knows what they’ve done in that long period of time in terms of potentially taking your data or we’ve seen invoice manipulation wire transfer information change things of that nature. So, we are encouraging everyone to take a much stronger approach.
Zero Trust is Nothing New
And really, Zero Trust has been around for a long time. You know it is nothing new, but basically you want to deny everything by default, trust nothing, and then only allow what’s necessary to run. Bear with me for one second, I’m going to hide that. So, the other thing you want to do is when you’re looking at all of this, you want to treat every user, every device, every application, even a data flow as untrusted. So to help sort of organize your thought process and to get started around this, we like to use things called frameworks. NIST is a cybersecurity framework that’s sort of generic, that cuts across many industries. Some industries have specific frameworks that they must follow whether it’s health care, accounting, financial services have them, manufacturers have them. But NIST is generic one that cuts across multiple Industries and typically, the specific industries will leverage and lay on top of the NIST framework. But, basically as you see here, it’s sort of a circular process that’s always going. You start out with identifying what’s important, who it is, what it is, what they’re trying to do, then you want to protect what’s going on and prevent.
If they do happen to get in where I mentioned that antivirus can’t detect/see it, there are now tools out there that can do ongoing monitoring that can detect, and then of course you want to respond and recover from a particular incident.
Make MFA Mandatory
Implement Conditional Access Policies
The other thing that you can do around this area is implement things called Conditional Access Policies and they can be applied to the person in addition to a device or a system. So, I’m going to remind Privileged Access Management, this also ties into who is getting into what. So what you want is to decide. Let’s say it’s Cathy. I’m trying to get into a particular program, and you want to limit me so that I’m not what’s called a “local admin” on my machine or in a system. If I’m logging in to do something that requires elevated privileges, I should either use a separate ID that gives me those elevated privileges or use something called Privileged Management Access which allows me to request access which has been given to me for a period and then taken away. So, you want to make sure that you’re restricting what people can get to, that you don’t have everybody logging in as an admin, and that you’re thinking through the process of who has access to what. So, the next thing you want to do is protect the thing.
So now you’ve validated that “Hey, yes, Cathy has the access to get into it.”
Apply Least Privileges to Your Applications
Use Ring Fencing to Set Application Boundaries
Continuous Monitoring
Let’s Sum it Up
To sum up—Zero Trust—you want to identify, you want to validate and limit what the users can do, you want to allow specific applications and devices, and you want to contain what those application can do, and you want to continuously monitor and evaluate what’s going on. There are Technology Solutions that can do much of this, but we always encourage you to train your users around cybersecurity best practices.
When in doubt, “trust but verify” is one of my favorite things these days to say. If something seems a little hinky, it probably is a little hinky. Trust but verify, double check it, and make sure that it is what you think it is. You want to get all your folks thinking Zero Trust in terms of how they work and what they do in their day-to-day business operations.
If you’re ready to upgrade your cybersecurity posture, feel free to give us a call. We’d be happy to do a full cybersecurity review and talk to you about some of the things that are going on out there that maybe you don’t already have in your environment. If you’re one of our clients, you may already have some of these but maybe not all of these in your environment. And the other thing that’s going on is in October, it’s Cybersecurity Awareness month. Many of the manufacturers of these Technical Solutions are offering some specials that we can then take advantage of and pass down to you.
With that, I’m going to wrap up. I’m not sure if there’s any questions because I’ve been talking fast. But if there are any questions, now’s a good time to ask them. I do see some chats, so let me see what it says here.
Question: Could the Allowed List be set up for an application if and when it’s needed?
There’s lots of ways you can set those allowed lists; you can set it so that it’s time-of-day specific, for example. You could also… one of the common ones that we see is that some applications will try to automatically update themselves. We can control that as well as to ensure that you don’t end up with a weaponized version of something that you don’t accidentally download something that leverages these tools. But the answer is, yes.
What we do when we sit down with the client is we talk through what it is they’re using, how they’re using it, when they’re using it, where they’re using it from in terms of geographically, as well as the device that they’re using it from, and we’ve set up all those rules around that. And then the other thing, of course, is we can have MFA certainly set up on things like Microsoft 365, or some Cloud application. Some of that is a matter of what’s built into the system that you’re using. But what I encourage all our clients to do is make a list of all the stuff you use. We did it here at IT Radix. I was shocked! The list was like 120 things, and we sat there, and we went through one by one by one by one and said: “Does the vendor offer the ability to do MFA?” If they do, great, we’re going to turn it on. If they don’t, what is some kind of mitigating measure we can put in place to help protect ourselves. So, any other questions?