Zero Trust: The New Cybersecurity Paradigm
Chief Information Security Officer, PenChecks Trust®
Cybersecurity technologies and methods used to protect a company’s data have significantly evolved over the last two decades. Unfortunately, so have the cyber criminals (hackers) who relentlessly pursue the riches to be made from stealing personal information and other sensitive data. As a result, gone are the days when a standard “Castle and Moat” cybersecurity approach could provide a reliable security tool.
Companies using this strategy would typically throw up a series of firewalls and switches to keep anyone outside of a network out and enable everyone inside to access everything, considering them safe and verified. With the proliferation of the cloud and the blurred lines formed by this newest technology focus, today’s cybersecurity requires a hybrid approach based on “never trust, always verify.” Continual authentication and authorization of any device or user in your organization must become an integral part of a never trust, always verify cybersecurity strategy.
Companies can no longer afford to have the mindset that everything inside its networks is trusted and verified. Instead, they must shift the old-school paradigm from trying to shield the “attack surface” to safeguarding your “protect surfaces.” The attack surface consists of the points where an attacker can try to enter a system to extract data or compromise the environment. Protect surfaces include the data, applications, assets, and other surfaces that can actually be stolen or compromised in a cyber-attack. Protect surfaces are typically smaller than the attack surface, and therefore easier to protect.
This “Zero Trust” approach does not involve throwing out all the firewalls and standard technologies you currently have in place around your network security infrastructure. Instead, those in charge of cybersecurity need to implement a hybrid approach of old and new. Continue to layer your security approach, but understand that “Zero Trust” mechanisms like Multi-Factor Authentication (MFA) need to be a focus in your evolving asset protection strategies.
Zero Trust: The New Cybersecurity Moat
The old cybersecurity paradigm made stopping or preventing attacks the primary goal. Now the focus needs to be on protecting attack surfaces – any specific data, application or asset hackers will attack. Instead of focusing on stopping attacks, Zero Trust focuses on identifying your protect surfaces, which are typically defined by at least one of four criteria:
- What are your most sensitive assets?
- Which data do you need to protect?
- Which applications use sensitive information?
- Which services, such as DNS – the system that automatically translates internet addresses to the numeric machine addresses computers use – can hackers exploit to disrupt normal IT operations?
When organizations fail to define their attack surface (as many do), hackers can get inside. Zero Trust allows you to identify and define your company’s protect surfaces so you can establish micro-perimeters to keep the bad guys out.
Three Cybersecurity Mistakes Hackers Love
Approximately 90 percent of all cyber breaches fall into three categories:
- Lack of security awareness by the user
- Poor or nonexistent system security patching processes
- System misconfigurations
Cybercriminals always choose the path of least resistance when infiltrating a company to steal data. Allowing these three mistakes to occur in your company is like leaving the door wide open and inviting hackers into your environment. No company can guarantee 100 percent protection from a breach, but plugging these three holes can go a long way toward protecting your company and its physical and electronic assets.
Here’s how to eliminate these invitations to outside intruders:
- Patching. Start by maintaining a complete, up-to-date list of all your physical assets, including laptops, workstations, servers (virtual and physical), firewalls, switches, wireless access points, etc. If you don’t have a complete list of all your assets, you will miss something. Also, create a checklist to guide monthly reviews of updated firmware, etc., and develop processes for implementing all new devices. For example, if you install a new switch into an environment, a smart move would be to reset the default admin password and make sure you have installed the latest firmware. At the very least, you should conduct monthly patch updates to all operating systems.
- Misconfigurations. Breaches often occur due to system misconfigurations. For example, the CapitalOne breach via Amazon Web Services in 2019 resulted from a misconfigured open-source Web Application Firewall. A former Amazon employee used an “insider” attack to steal more than 100 million consumer credit applications from Capital One when her access was not deleted after ending her employment with Amazon. Fortunately, misconfigurations can be prevented with a regular process that scans or tests for them.
- Security Awareness Training. The unaware user is a company’s weakest cybersecurity link. Many companies have an audit checklist and conduct annual security awareness training, but it often falls short for most multitasking users. Security awareness needs to be ingrained in every user’s psyche to prevent random and distracting link clicking that can lead to a devastating data breach. To engrain a sense of security awareness akin to muscle memory, make weekly, monthly and random reminders a part of your awareness training.
Data backups and redundancy also play a crucial role in your company’s longevity and survival in an ever-changing, globally accessible environment. In addition to backing up daily, weekly, and monthly, make sure your backups work by restoring and testing them at least monthly. Back up to multiple locations in different geographic locations, and “air gap” backup copies of your sensitive data offline so they will be disconnected and inaccessible from the internet.
Do Your Part. #BeCyberSmart!
Cybersecurity Awareness Month is a collaborative effort between government and industry that offers a treasure trove of ideas and techniques for improving cybersecurity in your business. Led by the National Cyber Security Alliance (NCSA) and Cybersecurity and Infrastructure Security Agency (CISA), the goal is to raise awareness about the importance of cybersecurity and ensure everyone has the information and tools they need to be safer online.
Throughout the month of October, NCSA and CISA will conduct outreach on a variety of cybersecurity topics. Keep in mind that cybersecurity is an individual as well as a shared responsibility. If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences, and training employees – we will be able to leverage the wonders of interconnected technology and cloud resources in a world that will be safer and more secure for everyone.
Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer (CISO) and has more than three decades of experience in the field of information technology, as a consultant and in-house manager for many companies. A well-rounded Security specialist, his background includes hands-on experience in technical management, systems architecture, program and project management, network design and deployment and ITIL (Information Technology Infrastructure Library) and SDLC (Software Development Life Cycle) methodologies. Kevin holds an MS in Cybersecurity from Liberty University.