There’s an old IT joke that blames many common computer glitches on PEBKAC:
Problem Exists Between Keyboard And Chair
In other words, users are often the source of major technology issues, not the systems themselves.
This old saw is doubly true in the world of IT security.
User error, mishandling of data, and failure to follow security policies often end up creating the gaps that attackers use to breach a company’s or a government’s systems.
Despite a perpetual focus by the security industry to improve user awareness and security training, recent studies and reports show that humans remain the weakest link in IT security.
Phishing Season Never Ends
By far the most common attack vector leading to major data breaches is the theft of user credentials via phishing.
Fully 91% of attacks begin with a phishing email, according to a recent report by vendor PhishMe cited in Dark Reading.
An employee is duped into clicking on a link in an email that looks like a legitimate offer from a business he or she frequents. Or it seems to come from a bank or other credible institution. But in clicking on the link, the user’s device is infected with malware, or the user is prompted to enter access credentials, and the breach begins.
Once in possession of the employee’s log-in credentials for the enterprise systems, the attacker masquerades as the user and passes right through typical security controls into the “trusted” interior networks and systems.
Phishing on Steroids
In years past, it was not difficult for the typical user to see through a phishing attack after getting a little training.
Poorly written phishing emails, unprofessional formats, and odd looking links or attachments were the fingerprints of attackers in those early phishing emails.
But the phishing vector has reached a new level of dangerous sophistication and effectiveness with the latest incarnations.
One recently documented attack mimics a Google Gmail log-in page to near perfection.
And of course spearphishing is proving able to fool many victims. By engaging in some intel gathering and reconnaissance, the attacker carefully crafts an attack email that looks like it comes from your boss or your bank.
The breach of the US Democratic National Committee was perpetrated by attackers with spearphishing campaigns. The US Department of Homeland Security and the Federal Bureau of Investigation detailed these campaigns in a report outlining the attack vectors believed to be used by Russia-backed attackers targeting the DNC.
Zero Choice but to use Zero Trust
The security industry has long advocated improving user training to help mitigate the human attack vector.
But if even a single user absentmindedly clicks on a single phishing email, all bets are off. In even a small organization, what are the odds that this will never happen?
There is no other choice but to embrace the notion that any user might already be compromised. In fact, a “trusted” user accessing your systems right now may be an attacker in disguise.
That is the basis of the “Zero Trust” model of security. Old security models assume your LAN or internal networks are “trusted” because they are protected by a firewalled perimeter.
But Zero Trust does away with the notion of implicit trust. Instead, it is assumed that any user or device on the network could be compromised. Given that, how do you protect your valuable digital assets?
Deploying Zero Trust means recognizing that traditional perimeter and infrastructure-based security cannot stop an attacker that has compromised a user and is disguised as that user.
So tools in the Zero Trust arsenal include enforcing role-based access control across all users. This limits attackers’ ability to move laterally through the enterprise systems once they have gained access via a compromised user. Another technique is to deploy end-to-end encryption of data communications flows, even on internal networks and in environments that traditionally would be considered to be trusted.
Coming Soon to an Enterprise Near You
But now enterprises and government entities large and small are embracing the concept. Google urges enterprises to adopt Zero Trust security. In the wake of devastating federal department breaches, the US Federal Government is also going Zero Trust.
Increased risk, financial impact, penalties and awareness will lead enterprise security architects to abandon the obsolete notion that any network or system can be implicitly trusted.
Analysis of the mega-breaches of recent years indicates that Zero Trust could have mitigated and in some cases completely prevented what turned into cybersecurity catastrophes.
And the stakes have never been higher, such as with the new General Data Protection Regulation privacy rules in Europe. The GDPR will result in fines in the many millions of Euros for companies that fail to protect consumer data.
As more companies embrace Zero Trust, they will become hardened targets, no longer easy pickings for attackers going phishing.
It’s certain that attackers will then work to uncover new exploits. But no matter what attack emerges next, Zero Trust should keep enterprises and governments safer than did the old fashioned, implicit trust alternatives.