Article by Karl Middlebrooks
One of the challenging issues of security today is understanding all the terminology and jargon that comes and goes. If you’re trying to keep up on cybersecurity, it can be tough to know what terms mean – and what they mean for you.
These days, you may be seeing a lot about Zero Trust which sounds reminiscent of the X-Files “Trust No One.” The phrase was coined years ago and it’s recently become a go-to phrase among companies in the security industry. In August 2020, the fine folks at the National Institute for Standards and Technology (NIST) put out a publication called “Zero Trust Architecture” that outlines the principles of Zero Trust. It’s a fantastic paper to read for a very technical audience, but if you’re already overwhelmed by security jargon and acronyms, it might not be the paper for you.
Despite the complexity, as an approach to security, Zero Trust has two very important concepts:
- Change areas of implicit trust to explicit trust. For example, instead of trusting everything that’s inside your firewall to access any portion of your network, you change to performing explicit checks to make sure devices and sign-ins are authorized to access something before granting access.
- Reduce the risk of exposure of your data due to lateral movement. For example, you have an employee with local admin privileges on their PC fall victim to a phishing attack and their PC is compromised. The attacker can run some tools to extract other passwords that may exist on that PC and see if they work to get into other systems or other administrator level accounts on the network. They may start with a single account on a PC but wind up with administrative access to your CRM or payroll system in a few hops across the network. That’s lateral movement.
- An example of how devastating lateral movement can be is the Electronic Arts (EA) breach that occurred last year which reportedly started with the compromise of an employee account on the messaging app Slack, and after some social engineering, resulted in the attackers being able to steal source code to several EA games.
For businesses of every size, there are some straightforward things you can do to move toward a Zero Trust model that works for you and improves your security. Let’s look first at a few commonplace practices that you need to move away from.
Don’t trust sign-ins or devices based on their location alone.
This is a big change in thinking about security because since the advent of the internet, we’ve come to believe that anything inside our firewall is safe. It’s always been the internet-based logins and devices – things outside our firewall – that shouldn’t be trusted. But the belief that everything inside the firewall can be trusted – all those PCs, servers, printers, and other devices – just doesn’t work today. Devices inside the firewall should be treated as if they are on the internet – their sign-ins and access validated first.
Don’t trust devices just because they’re company owned.
Most companies have drawn a distinction between company-owned devices and personal devices. We put a lot of trust in those company devices, right? We make sure they’re patched and updated, have current antivirus software on them. With personal devices, you don’t know what’s on them, how secure they are, and who has access to them, so you don’t trust them. But modern attacks have demonstrated time and time again that just because a device is owned and managed by a company doesn’t mean that it’s immune to compromise. Moving from implicit trust to explicit trust means treating company-owned devices as if they’re a personal device when it comes to accessing your network and data.
Don’t give out more access than is needed.
Things move fast, troubleshooting is difficult, and often permissions are assigned around the idea of making it easy or quick to get back to work. How often do you hear something like, “They’re the CEO. make sure they have admin access to everything,” or “We were having trouble with an application working over the VPN, so we opened all the ports. It works now, and we’ll tighten access back down when we can spend more time on troubleshooting,”? Those types of practices are very common, and it’s time to rethink them to minimize risk to the business – moving toward only granting access to what’s really needed when it’s needed and continually evaluating access that’s been granted.
Starting points to Zero Trust
We can’t cover all the aspects and approaches to Zero Trust here, though there are a couple of things businesses of every size can do to start adopting a Zero Trust approach to security.
Implement multifactor authentication.
Multifactor authentication (MFA) is one of the top topics in security today and with good reason. No matter which security vendor you go to for reference, they all say something similar: MFA stops nearly all cyberattacks, whether they’re automated attacks (like brute-force password guessing) or targeted attacks where someone is specifically targeting you or your business. Google found that even the weakest of MFA methods, the SMS text code, stopped 100% of automated attacks and 76% of targeted attacks. And Microsoft’s research found that accounts that used MFA were 99.9% less likely to be compromised.
By asking users to provide that second step of confirmation to demonstrate that they are who their sign-in says they are, you move from implicit trust to explicit trust — whether the users are at your office, at home, or at their favorite vacation spot – and start building a foundation of Zero Trust.
Revisit existing access to give people what they need, but not more.
Another area to get started with Zero Trust is looking at something you already know well – the information, applications, and devices you already have. When you limit excessive permissions or put in controls to restrict how users, devices, and information can move across your network to ways that are appropriate to employee roles, you help lower the risk that a compromise can easily get an attacker everything in your organization. And while access controls can get complicated, here are a few examples that you can start with:
- Limit local admin access to company-owned PCs and/or use separate admin accounts for software installation on PCs. Most people just don’t need full administrative rights over their PCs for day-to-day work. Limiting that access can prevent a compromised account on a device from compromising the entire device and using admin access to move laterally to another system.
- Take inventory of your critical systems and make sure employee offboarding includes disabling accounts immediately upon separation. Part of role-based access is ensuring that people who no longer play a role in your organization don’t have active accounts that an attacker can use.
- Limit application access and access levels. For example, does your CEO really need admin access to your HR and payroll systems? Or do they need reports and information that can be obtained with lower-level access? Thinking through those types of things – application access, security groups, email groups and so on — and making some changes that get people what they need without giving them more than what they need can make a big difference in limiting lateral movement.
- Fine tune your VPN and personal PC (BYOD – Bring Your Own Device) policies. You don’t necessarily have to trust company owned devices to understand that you probably have more insight into them – operating system version, antivirus status, policy restrictions and so on – than you have into personal systems. You might want to restrict what can be accessed over VPN and assume that everything connecting over VPN is a personal device, or you might want to put in technical controls that prevent personal devices from signing into your VPN at all, even though you’ll want those users to sign into VPN using MFA.
While there’s a lot we can’t cover here, many of the important concepts of Zero Trust are not complicated to understand – they’re things you’ve probably heard or read about already. And getting started with Zero Trust doesn’t have to be complex either. The right MSP partner can help you work through where you are today and what next steps might look like for you to improve security and help protect your company without getting in the way of your business. If you are ready to implement Zero Trust policies, contact us and we can work together to build a strategic plan to protect your business for the future.