{"id":18832,"date":"2022-04-22T02:30:17","date_gmt":"2022-04-22T10:30:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/22\/news-12565\/"},"modified":"2022-04-22T02:30:17","modified_gmt":"2022-04-22T10:30:17","slug":"news-12565","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/04\/22\/news-12565\/","title":{"rendered":"In a remote-work world, a zero-trust revolution is necessary"},"content":{"rendered":"

<\/p>\n

Credit to Author: Mike Elgan| Date: Fri, 22 Apr 2022 03:00:00 -0700<\/strong><\/p>\n

Last summer, law enforcement officials contacted both Apple and Meta, demanding customer data in \u201cemergency data requests.\u201d The companies complied. Unfortunately, the \u201cofficials\u201d turned out to be hackers affiliated with a cyber-gang<\/a> called \u201cRecursion Team.\u201d<\/p>\n

Roughly three years ago, the CEO of a UK-based energy company got a call from the CEO of the company\u2019s German parent company instructing him to wire a quarter of a million dollars to a Hungarian \u201csupplier.\u201d He complied. Sadly, the German \u201cCEO\u201d was in fact a cybercriminal using deepfake audio technology to spoof the other man\u2019s voice<\/a>.<\/p>\n

One set of criminals was able to steal data, the other, money. And the reason was trust. The victims\u2019 source of information about who they were talking to was the callers themselves.<\/p>\n

Zero trust is a security framework that doesn\u2019t rely on perimeter security. Perimeter security is the old and ubiquitous model that assumes everyone and everything inside the company building and firewall is trustworthy. Security is achieved by keeping people outside the perimeter from getting in.<\/p>\n

A UK<\/span> doctoral student at the University of Stirling named Stephen Paul Marsh coined the phrase “zero trust”<\/span>\u00a0in 1994. (Also called \u201cde-perimeterization,” <\/span>the concept was thoroughly fleshed out in guidelines like Forrester eXtended, Gartner\u2019<\/span>s CARTA and NIST 800-207.)<\/p>\n

Perimeter security is obsolete for a number of reasons, but mainly because of the prevalence of remote work. Other reasons include: mobile computing, cloud computing and the increasing sophistication of cyberattacks, generally. And, of course, threats can come from the inside, too.<\/p>\n

In other words, there is no network edge anymore \u2014 not really \u2014 and even to the extent that perimeters exist, they can be breached. Once hackers get inside the perimeter, they can move around with relative ease.<\/p>\n

Zero trust aims to fix all that by requiring each user, device, and application to individually pass an authentication or authorization test each time they access any component of the network or any company resources.<\/p>\n

Technologies are involved in zero trust. But zero trust itself is not a technology. It\u2019s a framework and, to a certain extent, a mindset. We tend to think of it as a mindset for network architects and security specialists. That\u2019s a mistake; it needs to be the mindset of all employees.<\/p>\n

The reason is simple: social engineering is a non-technical hacking of human nature.<\/p>\n

One basic approach to applying zero trust to the challenge of social engineering attacks is old and familiar. Let’s say you get an email that claims it’s from the bank and says there’s a problem with your account. Just click here to enter your username and password and resolve the problem, it says. The right way to handle this situation (if you\u2019re not sure) is to call the bank and verify.<\/p>\n

In any kind of social engineering attack, the best practice is to never use the access method provided to you, but to get your own. Don\u2019t use the person contacting you as your source of information about who is contacting you. Verify independently always.<\/p>\n

In the past, it has been easy to spoof an email. We\u2019re facing an immediate future where it will be just as easy to fake live voice and video.<\/p>\n

Beyond email spoofing, organizations can also be attacked by phishing, vishing, smishing, spear phishing, snowshoeing, hailstorming, clone phishing, whaling, tabnabbing, reverse tabnabbing, in-session phishing, website forgery, link manipulation, link hiding, typosquatting<\/span>, homograph attacks, scareware, tailgating, baiting, DNS spoofing, and many others. Your zero -rust training should make employees intimately familiar with all these attack types. Simple knowledge of the many dastardly methods for tricking humans into allowing unauthorized access helps them understand why zero trust is the answer.\u00a0<\/p>\n

In his excellent 2011 book, \u201cGhost in the Wires<\/a>,\u201d former superhacker Kevin Mitnick<\/span> describes one of his most effective social engineering techniques: You see employees outside of a building about to go in, and you simply follow them through the door with the confidence of someone who belongs there. Employees universally read that confidence as all the verification they need to hold the door open for a stranger.<\/p>\n

When Apple and Meta were contacted by fake law-enforcement officers, they should have taken down the details of who callers claimed to be, hung up the phone, and called the agency to verify.<\/p>\n

When that UK CEO was contacted by someone claiming to be the CEO of the parent company, the policy should have been a return call and not a transfer of funds based on the initial call.<\/p>\n

The good news is that while many companies haven\u2019t implemented zero trust, or even developed a zero-trust roadmap, embracing its use against social engineering can be implemented right away.<\/p>\n

Find a way to authenticate each participant in audio or video meetings.<\/p>\n

In other words, through changes in training, policy, and practice, any incoming communication that requests something \u2014 transfer funds, provide a password, change a password, click on an attachment, click on a link, let someone into the building \u2014 needs to be verified and authenticated \u2014 both the person and the avenue for the request.<\/p>\n

Nearly all social engineering attacks involve the malicious actor gaining the trust of a person with access, and then abusing that access.<\/p>\n

The challenge in using training and security culture to inspire a zero-trust mindset in all employees is that people themselves like to be trusted. People get offended when told: \u201cLet me verify you first.\u201d<\/p>\n

That should be the biggest part of the training: Getting employees and business leaders to insist upon not being trusted. You can\u2019t just rely on people not to trust \u2014 you have to get people to insist on not being trusted themselves.<\/p>\n

If a senior leader sends an attachment to a subordinate, and the subordinate simply downloads and opens it without an additional step of verification (say, calling and asking), that should be seen by the leader as a serious breach of security practices.<\/p>\n

Culturally, most companies are miles away from embracing this practice. And that\u2019s what needs to be repeated a thousand times: Zero-trust authorization of everything is for the trustworthy and untrustworthy alike.<\/p>\n

With so many workers now scattered between the office, at home, in other states or even in other nations, it\u2019s time for a radical reset \u2014 a zero-trust revolution, if you will \u2014 in how we interact with each other in everyday business communication.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Mike Elgan| Date: Fri, 22 Apr 2022 03:00:00 -0700<\/strong><\/p>\n

\n
\n

Last summer, law enforcement officials contacted both Apple and Meta, demanding customer data in \u201cemergency data requests.\u201d The companies complied. Unfortunately, the \u201cofficials\u201d turned out to be hackers affiliated with a cyber-gang<\/a> called \u201cRecursion Team.\u201d<\/p>\n

Roughly three years ago, the CEO of a UK-based energy company got a call from the CEO of the company\u2019s German parent company instructing him to wire a quarter of a million dollars to a Hungarian \u201csupplier.\u201d He complied. Sadly, the German \u201cCEO\u201d was in fact a cybercriminal using deepfake audio technology to spoof the other man\u2019s voice<\/a>.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[20166,714],"class_list":["post-18832","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-remote-work","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18832"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18832\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18832"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}