Looking back at the most headline-worthy breaches of the not-so-distant past will unveil a surprising truth: it’s the little things that get us. One slip, one duped employee, one chink in the armor and the castle can fall. All too often, these mistakes are the result of trust being issued where it hasn’t been earned, and too many companies fall into a false sense of security when a Zero-Trust strategy is the only way to operate responsibly in today’s cyber environment.
This is a classic case of a simple social engineering ploy at work. The person claiming responsibility for the “total compromise” of the $55 billion dollar company simply sent a text to an Uber employee, pretended to be corporate IT, and compromised the entire system. “They pretty much have full access to Uber,” noted Sam Curry, a security engineer at Yuga Labs. What good is it if your doors are locked when a simple question could persuade a tenant to give up the key? For that reason, Zero-Trust means so much more than credentials. To a multi-billion dollar organization, it should (at the very least) entail multi-factor authentication, security awareness training, and role-based permissions and access controls.
The massive ransomware attack that brought the oil titan to its knees (and was deemed a national security threat) was another “lucky strike” in the world of cybercrime. To their credit, the utility was utilizing a VPN. However, basic password hygiene was lacking and the credential was exposed – more than likely, reused. While complex and difficult to guess, the password was likely put into use in more than one place (the fatal VPN account being one of them) and one of the largest and most vital oil supplies in the US was reduced to a halt. Considered critical national infrastructure, the pipeline represents part of the supply chain “considered so vital to the United States that [its] incapacitation or destruction would have a debilitating effect on security, national economic security, [or] national public health or safety.” Again, it only takes a stone to take down a Goliath.
The social media platform that holds the records of nearly 400 million users worldwide was hacked in July due to a simple vulnerability similar to the one previously used to exploit Facebook. In essence, it allowed you to create a Twitter ID with minimal information, despite the action being prohibited in the user’s privacy settings. The data exfiltration occurred in December of 2021 – on January 1st, the vulnerability was revealed and by the 13th it was patched, but by then it was too late. The records from the over 5 million accounts (offered later on the Dark Web for $30,000) were not stolen due to a sophisticated exploit, a social-engineering scam, or a nation-state attack. They were lost due to a simple user-facing vulnerability that a Zero-Trust approach to GUI development could have fixed, or an audit could have caught.
The lawsuit claimed the healthcare organization could have prevented the theft of 150,000 patient records by “properly securing and encrypting” the medical data. HIPAA requires all organizations handling personal health information to “ensure the confidentiality, integrity, and availability of all e-PHI” and “protect against reasonably anticipated, impermissible uses or disclosures”, and so when Scripps Health suffered a ransomware attack, it was exacerbated exponentially when the attackers didn’t stop there. Said the principal attorney on the case, Scott Cole, “That medical histories were accessed in this data hack makes this situation unique…despite hundreds of data breaches every year in this country, most do not involve such highly sensitive patient information as was obtained here.” Encryption of medical records – at rest and in transit – should not be an optional safeguard, but an integral part of a healthcare organization’s Zero-Trust approach. This is especially true when the organization is required to be HIPAA compliant and falls under the jurisdiction of CCPA.
This is a breach story that ends with some silver lining, making it “the breach that wasn’t.” Cisco was infiltrated when an employee email account was compromised. From that account, the bad actor found saved credentials for the company’s corporate VPN. Impersonating (again) corporate IT, the hacker was able to bypass MFA conventions by convincing the new employee to accept the push notification, thereby gaining access to the network. While the attacker did gain initial entry, the breach was identified and curbed by Cisco’s network segmentation and zero-trust implementations.
In the forest, we are more likely to trip over the roots than the trees. Large breaches often stem from small, preventable mistakes that are the result of sloppy organizing, lack of policy, or simple human error.
Enterprises today need to not only build out the best, most sophisticated tool stacks, but make sure everything – from the intern training to C-level access controls – is built with Zero-Trust in mind.
Gartner defines Zero-Trust as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.” In other words, a line that can only be crossed by that particular entity in a particular environment. It takes the place of the “perimeter” and can be seen as a set of security principles that create a moveable bubble around whatever it is you want to protect.
Zero-Trust can be baked in at the DevOps level or input later at the SecOps level if your organization has older architectural elements.
In theory, it is a set of rules, and in practice, it is every solution, policy, application and decision that denies access until identity and context is proven. Security awareness training builds Zero-Trust. Mapping to the MITRE ATT&CK framework, utilizing MFA, defending at the DNS layer, protecting the cloud, securing remote workers, and locking down IoT devices build Zero-Trust.
However, zero means zero. While some ZT measures are favorable, the job isn’t finished until your entire organization has been audited, analyzed for gaps, and retrofitted with Zero-Trust architecture from the inside out. Talk to Port53 about completing your Zero-trust transformation.
Cloud delivered solutions provide the same level of protection to a 10 person company as a 10,000 person company, all at an affordable price per user.
Endpoint vulnerabilities are further multiplied the more applications you have on a device and how well those applications comply with security policies.