Saturday , December 21 2024
Credit: Ground Picture / Shutterstock

5 areas where zero trust can’t protect your organization

Gartner predicts that over 50% of cyberattacks until 2026 will target vulnerable areas that are not covered or protected by the principles of zero trust. “Zero trust has two significant concerns that need to be addressed. There are various factors to consider, such as legacy technology and shadow IT, that can significantly impact the scope of the project. According to Gartner analyst John Watts, another significant concern lies in the fact that there exist attacks capable of circumventing zero trust controls.
5 areas where zero trust can’t protect your organization alone:

1. Legacy systems

Not all systems and applications are easily updated to zero trust principles. Many legacy systems, for example, just don’t have what it takes. Insurance broker PIB Group was founded just seven years ago but since then it has acquired 92 other companies, most of them other insurance firms. It went from 12 employees to 3,500. “We’re acquiring a lot of platforms, and they’re written by their cousin who’s gone off to another job and isn’t supporting them properly,” CISO Jason Ozin tells CSO.

Eight New ICS Advisories released by CISA

CISA has released eight advisories on vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities affect essential software and hardware in...
Read More
Eight New ICS Advisories released by CISA

Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI

Bank Rakyat Indonesia (BRI), the largest state bank by assets, has assured customers that their data and funds are secure...
Read More
Authority Denies  Hacker claim ransomware attack on Indonesia’s state bank BRI

London-based company “Builder.ai” reportedly exposed 1.2 TB data

Cybersecurity researcher Jeremiah Fowler reported to Website Planet that he found a non-password-protected 1.2 TB dataset containing over 3 million...
Read More
London-based company “Builder.ai” reportedly exposed 1.2 TB data

(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall

Sophos has fixed three separate security vulnerabilities in Sophos Firewall.  The vulnerabilities CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729 present major risks, such...
Read More
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)  Sophos resolved 3 critical vulnerabilities in Firewall

“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

A time-demanding workshop on "Cybersecurity Awareness and Needs Analysis" was held on Thursday (December 19) at Bangladesh Bank Training Academy...
Read More
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA

CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability

Kaspersky's Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient...
Read More
CVE-2023-48788  Kaspersky reveals active exploitation of Fortinet Vulnerability

U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports

The US government is considering banning a well-known brand of Chinese-made home internet routers TP-Link due to concerns that they...
Read More
U.S. Weighs Ban on Chinese-Made Router TP-Link:  WSJ reports

Daily Security Update Dated: 18.12.2024

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update Dated: 18.12.2024

CISA released best practices to secure Microsoft 365 Cloud environments

CISA has issued Binding Operational Directive (BOD) 25-01, requiring federal civilian agencies to improve the security of their Microsoft 365...
Read More
CISA released best practices to secure Microsoft 365 Cloud environments

Data breach! Ireland fines Meta $264 million, Australia $50m

The Irish Data Protection Commission fined Meta €251 million ($263.6 million) for GDPR violations related to a 2018 data breach...
Read More
Data breach! Ireland fines Meta $264 million, Australia $50m

Even the company’s current HR system won’t support zero trust, Ozin says. “It won’t even support two-factor [authentication]. It will support username and password. It will support IP whitelisting.” But IP whitelisting isn’t very useful when everyone is working from home or another remote location.

The company is about to switch to a new HR system, but other systems aren’t as quickly replaceable. Until they are, Ozin has a workaround in place. “What we can do is put a zero-trust wrapper around it. You’ll be authenticated. Are you coming from a location we recognize? Are you using two-factor?” Once the authentication is handled, only then will the wrapper pass the traffic to the legacy system. The legacy system–for example, the current HR system–will check the IP address to make sure it’s coming from the zero-trust platform. Some legacy systems are so awful that they don’t even have a username and password, Ozin says. “But nobody can get to it except through the gatekeepers.”

The pandemic was a major motivation to moving to zero trust, as was the company’s rapid growth, though the pandemic was over by the time PIB began rolling out zero trust. “My plan is to get rid of every single legacy system we’ve got,” says Ozin. “But, in reality, that’s never going to happen. In six years’ time it wouldn’t surprise me if I’m still running it.”

But it takes resources and money to upgrade everything. “We’ve decided to do it on certain high-risk items to start with,” he says.

2. IoT devices

Ozin says there are loads of IoT devices in the organization, “I’ve got IoT I don’t even know about.” This is a problem, especially when, for example, a local office decides to put in a door entry system without talking to anyone first. “They’re installing it, and the guy says, ‘Can I get the WiFi access key to the network?’ And someone might give it to them,” says Ozin.

Without zero trust on all the WiFi gateways, the company is using a workaround–a separate network for unapproved devices that doesn’t have access to any corporate data. PIB also has tools in place that lets them do audits to make sure that only approved devices are connected to the main network.

Gartner’s Watts agrees that IoT and OT can pose security challenges for companies. “It is more difficult to implement a zero-trust posture for those devices and systems. They have less assurances for identity.” If there’s no user, then there’s no user account, he says. “There’s no good way to authenticate if something should be on the network. It becomes a difficult problem to solve.”

Some companies will exclude IoT and OT from their zero trust scope because they can’t address this problem, Watts says. Some vendors, however, will help companies secure these systems, he says. In fact, Gartner has published a market guide for securing cyber-physical systems that includes Armis, Claroty, and Dragos. “But once you implement these technologies, you have to put more trust in the vendors. If they have their own vulnerabilities and challenges, attackers will find a weakness,” Watts tells CSO.

3. Privileged access

The insider threat risk is a problem for all companies. Zero trust won’t help in cases where a privileged insider may have valid permission to access sensitive resources, because this employee is trusted.

Other technologies can reduce the risk, says Ozin. “Someone might have all the privileges but are they suddenly on the internet at 3 am? You can put behavioral analytics next to the zero trust to catch that. We use that as part of our EDR [endpoint detection and response] and as part of our Okta login. We also have a data loss prevention program–are they doing 60 pages of printing when they don’t usually print anything?”

Insider threats are a major residual risk after zero trust controls have been implemented, says Gartner’s Watts. In addition, trusted insiders can be tricked into leaking data or allowing attackers into systems by social engineering. “Insider threats and account takeover attacks are the two risks that remain in a perfect zero trust world,” he says.

Then there’s business email compromise, where people with access to company money are fooled into sending the funds to the bad guys. “A business email compromise could be a deep fake that calls a member of the organization and asks them to wire money to another account,” says Watts. “And none of that actually touches any of your zero trust controls.” To deal with this, companies should limit user access so that if they are compromised the damage is minimized. “With a privileged account, this is difficult,” he says. User and entity behavior analytics can help detect insider threats and account takeover attacks. The key is to deploy the technology intelligently, so that false positives don’t stop someone from completely doing their job.

For example, anomalous activity could trigger adaptive control, like changing access to read-only, or blocking access to the most sensitive applications. Companies need to ensure that they don’t give too much access to too many users. “It’s not just a technology problem. You have to have the people and processes to support it,” Watts says.

According to the Cybersecurity Insiders survey, 47% say that overprivileged employee access is a top challenge when it comes to deploying zero trust. In addition, 10% of companies say that all users have more access than they need, 79% say that some or a few users do, and only 9% say that no users have too much access. A Dimensional Research study, conducted on behalf of BeyondTrust, found that 63% of companies reported having identity issues in the last 18 months that were directly related to privileged users or credentials.

4. Third-party services

CloudFactory is an AI data company with 600 employees and 8,000 on-demand “cloud workers.” The company has fully adopted zero trust, the company’s head of security operations Shayne Green tells CSO. “We have to, because of the sheer number of users we support.”

Remote workers sign in with Google authentication through which the company can apply its security policies, but there’s a gap, Green says. Some critical third-party service providers don’t support single sign-on or security assertion markup language integration. As a result, workers can log in from an unapproved device using their username and password, he says. “Then there’s nothing to stop them from stepping outside our visibility.” Technology vendors are aware that this is a problem, according to Green, but they’re lagging and they need to step up.

CloudFactory isn’t the only company to have a problem with this, but vendor security issues go beyond what authentication mechanisms a vendor uses. For example, many companies expose their systems to third parties via APIs. It can be easy to overlook APIs when figuring out the scope of a zero-trust deployment.

You can take zero trust principles and apply them to APIs, says Watts. That can lead to a better security posture–but only to a certain extent. “You can only control the interface you expose and make available to the third party. If the third party doesn’t have good controls, that’s something you typically don’t have control over.” When a third party creates an app that allows their users access to their data the authentication on the client could be an issue. “If it’s not very strong, someone could steal the session token,” says Watts.

Companies can audit their third-party providers, but the audits are typically a one-time check or are performed on an ad-hoc basis. Another option is to deploy analytics which can give the ability to detect when something being done is not approved. It gives the ability to detect anomalous events. A flaw in an API that is exploited might show up as one such anomalous event, Watts says.

5. New technologies and applications

According to a Beyond Identity survey of over 500 cybersecurity professionals in the US this year, handling new applications was the third biggest challenge to implementing zero trust, cited by 48% of respondents. Adding new applications isn’t the only change that companies might want to make to their systems. Some companies are constantly trying to improve their processes and improve the flow of communication, says John Carey, managing director of the technology solutions group at AArete, a global consulting firm. “This is at odds with the concept of data trust, which puts barriers in front of data moving around freely.”

That means that if zero trust is not implemented or architected correctly, there might be a hit to productivity, Carey says. One area this can happen is AI projects. Companies have an increasing number of options for creating customized, fine-tuned AI models specific for their businesses, including, most recently, generative AI.

The more information the AI has, the more useful it is. “With AI, you want it to have access to everything. That’s the purpose of AI, but if it is breached, you have a problem. And if it starts disclosing things you don’t want, it is a problem,” Martin Fix, technology director at technology consultant Star, tells CSO.

There’s a new attack vector, Fix says, called “prompt hacking,” where malicious users try to trick the AI into telling them more than they should by cleverly wording the questions they ask. One solution, he says, is to avoid training general-purpose AIs on sensitive information. Instead, this data could be kept separate, with an access control system in place that checks if the user asking the question is allowed access to this data. “The results might not be as good as with an uncontrolled AI. It requires more resources and more management.”

The underlying issue here is that zero trust changes how companies work. “Vendors say it’s easy. Just put in some edge security where your people come in. No, it’s not easy. And the complexity of zero trust is just beginning to come out,” zero trust leader for the US at KPMG Deepak Mathur tells CSO. That’s one big flaw that zero trust never talks about, he says. There are process changes that have to happen when companies implement zero trust technologies. Instead, too often, it’s just taken for granted that people will fix processes.

Source: csoonline

Check Also

HSBC

HSBC sued by ASIC: customers allegedly scammed of $23 million

HSBC Bank Australia Limited did not sufficiently safeguard customers from scams that resulted in millions …

Leave a Reply

Your email address will not be published. Required fields are marked *