Remote work: a zero trust Revolution is essential

Remote work: a zero trust Revolution is essential

Zero Trust is not just for cybersecurity specialists – it is a necessary new way of life for companies. […]

Last summer, law enforcement agencies turned to both Apple and Meta, requesting customer data as part of “emergency data requests”. The companies complied with the request. Unfortunately, it turned out that the “officials” were hackers belonging to a cyber gang called the “Recursion Team”.

About three years ago, the chairman of the board of an energy company based in the UK received a call from the chairman of the board of the German parent company of the company, in which he was instructed to transfer a quarter of a million dollars to a Hungarian “supplier”. He complied with the request. Unfortunately, in reality, the German “CEO” was a cybercriminal who falsified the voice of his interlocutor with the help of deepfake audio technology.

One group of criminals was able to steal data, the other money. And the reason for this was trust. The victims’ source of information about who they were talking to was the callers themselves.

What exactly is Zero Trust?

Zero Trust is a security model that does not rely on perimeter security. Perimeter security is the old and ubiquitous model that assumes that everyone and everything inside the company building and firewall is trustworthy. Security is achieved by preventing people outside the fence from entering.

A British PhD student at the University of Stirling named Stephen Paul Marsh coined the term “zero trust” in 1994. (The concept, also known as “de-perimeterization”, has been thoroughly elaborated in guidelines such as Forrester eXtended, Gartner’s CARTA and NIST 800-207).

Perimeter security has become obsolete for a number of reasons, but mainly because of the increasing prevalence of remote work. Other reasons include: mobile computing, cloud computing and the increasing sophistication of cyber attacks in general. And, of course, the threats can also come from within.

In other words, there are no more network boundaries – not really – and even if there are boundaries, they can be broken through. Once hackers have penetrated the inside of the network, they can move around it relatively easily.

Zero Trust is designed to solve all this by requiring each user, device and application to pass an individual authentication or authorization test every time they access a component of the network or corporate resources.

At Zero Trust, technology is at play. But zero Trust itself is not a technology. It is a concept and to a certain extent also a way of thinking. We tend to think of it as a mindset for network architects and security specialists. This is a mistake; it must be the attitude of all employees.

Why Only Zero Trust Can Defeat Social Engineering

A fundamental approach to applying zero Trust to social engineering attacks is old and well-known. Let’s say you receive an email claiming that it comes from the bank and there is a problem with your account.

Just click here to enter your username and password and solve the problem, it says. The correct course of action in this situation (if you are not sure) is to call the bank and make sure.

In any type of social engineering attack, the best course of action is never to use the method of access offered to you, but to find your own. Do not use the person contacting you as a source of information about who is contacting you. Always check independently.

In the past, it was easy to fake an email. In the near future, it will be just as easy to fake a live voice or video.

In addition to e-mail spoofing, companies can also use phishing, vishing, smishing, spear phishing, snowshoeing, hailstorming, clone phishing, whaling, tabnabbing, reverse tabnabbing, in-session phishing, website forgery, link manipulation, link hiding, typosquatting, homograph attacks, scareware, tailgating, baiting, DNS spoofing and many others are under attack.

Your zero trust training should familiarize your employees with all these types of attacks. The simple knowledge of the many insidious methods used to trick people into allowing unauthorized access will help you understand why Zero Trust is the solution.

In his excellent book “Ghost in the Wires” from 2011, former super hacker Kevin Mitnick describes one of his most effective social engineering techniques: you see employees in front of a building who are about to enter, and just follow them through the door, with the self-confidence of someone who belongs there. The employees see this confidence as a confirmation that they have to open the door to a stranger.

When Apple and Meta were contacted by fake police officers, they should have noted down the details of the callers, hung up the phone and called the authority to verify this.

When the CEO of the UK company was contacted by someone claiming to be the CEO of the parent company, a callback should have been made and not a referral based on the first call.

How to Use Zero Trust in Social Engineering

The good news is that many companies have not yet implemented zero-trust or have not even developed a zero-trust roadmap, but the use of zero-trust against social engineering can be implemented immediately.

Find a way to authenticate each participant in audio or video conferences.

In other words, through changes in training, policies and practices, any incoming communication asking for something – transferring a sum of money, providing a password, changing a password, clicking on an attachment, clicking on a link, entering the building – must be verified and authenticated, both the person and the way through which the request is made.

Almost all social engineering attacks are about a malicious actor gaining the trust of a person with access authorization and then abusing this access.

The challenge of using training and a safety culture that should create a zero-trust mentality among all employees is that people themselves like to be trustworthy. People are offended when they are told: “Let me check this first.“

That should be the biggest part of the training: getting employees and managers to insist that you don’t trust them. You can’t just rely on people not trusting you – you have to get them to insist, even insist, that you don’t trust them.

If an executive sends an attachment to an employee and the latter simply downloads and opens it without first making sure (for example, by calling and asking), this should be considered by the manager as a serious violation of security practices.

Culturally, most companies are miles away from adopting this practice. And that’s what has to be repeated a thousand times: the zero trust authorization of everything is for the trustworthy and the untrustworthy alike.

With so many workers working in the office, at home, in other states, or even in other countries, it’s time for a radical reboot – a zero trust revolution, if you will – in the way we interact with each other in day-to–day business communications.

This article is based on an article from our US sister publication Computerworld.

*Mike Elgan writes as a columnist for our US sister publication Computerworld and other tech portals.

Outsourced Development Services | Unreal Engine Development

Ready to see us in action:

More To Explore

IWanta.tech
Logo
Enable registration in settings - general
Have any project in mind?

Contact us:

small_c_popup.png