Wednesday , October 30 2024
Credit: Ground Picture / Shutterstock

5 areas where zero trust can’t protect your organization

Gartner predicts that over 50% of cyberattacks until 2026 will target vulnerable areas that are not covered or protected by the principles of zero trust. “Zero trust has two significant concerns that need to be addressed. There are various factors to consider, such as legacy technology and shadow IT, that can significantly impact the scope of the project. According to Gartner analyst John Watts, another significant concern lies in the fact that there exist attacks capable of circumventing zero trust controls.
5 areas where zero trust can’t protect your organization alone:

1. Legacy systems

Not all systems and applications are easily updated to zero trust principles. Many legacy systems, for example, just don’t have what it takes. Insurance broker PIB Group was founded just seven years ago but since then it has acquired 92 other companies, most of them other insurance firms. It went from 12 employees to 3,500. “We’re acquiring a lot of platforms, and they’re written by their cousin who’s gone off to another job and isn’t supporting them properly,” CISO Jason Ozin tells CSO.

Rented bank account used to illegal transection: 5 arrested

The Indian Cyber Crime Coordination Centre (I4C) has warned about illegal payment gateways set up by transnational cyber criminals using...
Read More
Rented bank account used to illegal transection: 5 arrested

Successfully held “InfoSecCon-2024″at Dhaka Bangladesh

With a festive look and the participation of more than one hundred participants from Bangladesh cyber industry, another successful cyber...
Read More
Successfully held “InfoSecCon-2024″at Dhaka Bangladesh

Bangladeshi hacker hack for girlfriend’s expenses; finally caught

Fazle Hassan Anik hacked girls' Facebook accounts to steal sensitive pictures, which he used to blackmail them for money. He...
Read More
Bangladeshi hacker hack for girlfriend’s expenses; finally caught

Bangladeshi Social media flooded with unauthorized withdrawals from bank accounts

Bangladeshi Social media posts have raised concerns about unauthorized withdrawals from bank accounts, affecting at least 7 to 8 people...
Read More
Bangladeshi Social media flooded with unauthorized withdrawals from bank accounts

Unprotected UN Database Exposes 228GB of Gender Violence Victims’ Data

Cybersecurity researcher Jeremiah Fowler found a non-password-protected database with 115,000 records linked to the UN Trust Fund to End Violence...
Read More
Unprotected UN Database Exposes 228GB of Gender Violence Victims’ Data

Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability

Cisco announced updates on Wednesday to fix a security flaw in its Adaptive Security Appliance (ASA) that is currently being...
Read More
Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability

Hackers Earn $500,000 on First Day of Pwn2Own Ireland 2024

White hat hackers at the Pwn2Own Ireland 2024 contest by Trend Micro's Zero Day Initiative earned $500,000 on the first...
Read More
Hackers Earn $500,000 on First Day of Pwn2Own Ireland 2024

Fortinet + Crowdstrike team on protection from endpoint to firewall

In today's rapidly changing cybersecurity environment, organizations encounter numerous complex threats targeting endpoints and networks. CrowdStrike and Fortinet have partnered...
Read More
Fortinet + Crowdstrike team on protection from endpoint to firewall

Sophos to Acquire Secureworks in $859M

Sophos, based in the UK, is to acquire Secureworks, a Nasdaq-listed company, for $859 million in cash from Dell Technologies....
Read More
Sophos to Acquire Secureworks in $859M

2nd time hacker breached Internet Archive

The Internet Archive was breached again, this time through their Zendesk email support platform, following warnings that threat actors had...
Read More
2nd time hacker breached Internet Archive

Even the company’s current HR system won’t support zero trust, Ozin says. “It won’t even support two-factor [authentication]. It will support username and password. It will support IP whitelisting.” But IP whitelisting isn’t very useful when everyone is working from home or another remote location.

The company is about to switch to a new HR system, but other systems aren’t as quickly replaceable. Until they are, Ozin has a workaround in place. “What we can do is put a zero-trust wrapper around it. You’ll be authenticated. Are you coming from a location we recognize? Are you using two-factor?” Once the authentication is handled, only then will the wrapper pass the traffic to the legacy system. The legacy system–for example, the current HR system–will check the IP address to make sure it’s coming from the zero-trust platform. Some legacy systems are so awful that they don’t even have a username and password, Ozin says. “But nobody can get to it except through the gatekeepers.”

The pandemic was a major motivation to moving to zero trust, as was the company’s rapid growth, though the pandemic was over by the time PIB began rolling out zero trust. “My plan is to get rid of every single legacy system we’ve got,” says Ozin. “But, in reality, that’s never going to happen. In six years’ time it wouldn’t surprise me if I’m still running it.”

But it takes resources and money to upgrade everything. “We’ve decided to do it on certain high-risk items to start with,” he says.

2. IoT devices

Ozin says there are loads of IoT devices in the organization, “I’ve got IoT I don’t even know about.” This is a problem, especially when, for example, a local office decides to put in a door entry system without talking to anyone first. “They’re installing it, and the guy says, ‘Can I get the WiFi access key to the network?’ And someone might give it to them,” says Ozin.

Without zero trust on all the WiFi gateways, the company is using a workaround–a separate network for unapproved devices that doesn’t have access to any corporate data. PIB also has tools in place that lets them do audits to make sure that only approved devices are connected to the main network.

Gartner’s Watts agrees that IoT and OT can pose security challenges for companies. “It is more difficult to implement a zero-trust posture for those devices and systems. They have less assurances for identity.” If there’s no user, then there’s no user account, he says. “There’s no good way to authenticate if something should be on the network. It becomes a difficult problem to solve.”

Some companies will exclude IoT and OT from their zero trust scope because they can’t address this problem, Watts says. Some vendors, however, will help companies secure these systems, he says. In fact, Gartner has published a market guide for securing cyber-physical systems that includes Armis, Claroty, and Dragos. “But once you implement these technologies, you have to put more trust in the vendors. If they have their own vulnerabilities and challenges, attackers will find a weakness,” Watts tells CSO.

3. Privileged access

The insider threat risk is a problem for all companies. Zero trust won’t help in cases where a privileged insider may have valid permission to access sensitive resources, because this employee is trusted.

Other technologies can reduce the risk, says Ozin. “Someone might have all the privileges but are they suddenly on the internet at 3 am? You can put behavioral analytics next to the zero trust to catch that. We use that as part of our EDR [endpoint detection and response] and as part of our Okta login. We also have a data loss prevention program–are they doing 60 pages of printing when they don’t usually print anything?”

Insider threats are a major residual risk after zero trust controls have been implemented, says Gartner’s Watts. In addition, trusted insiders can be tricked into leaking data or allowing attackers into systems by social engineering. “Insider threats and account takeover attacks are the two risks that remain in a perfect zero trust world,” he says.

Then there’s business email compromise, where people with access to company money are fooled into sending the funds to the bad guys. “A business email compromise could be a deep fake that calls a member of the organization and asks them to wire money to another account,” says Watts. “And none of that actually touches any of your zero trust controls.” To deal with this, companies should limit user access so that if they are compromised the damage is minimized. “With a privileged account, this is difficult,” he says. User and entity behavior analytics can help detect insider threats and account takeover attacks. The key is to deploy the technology intelligently, so that false positives don’t stop someone from completely doing their job.

For example, anomalous activity could trigger adaptive control, like changing access to read-only, or blocking access to the most sensitive applications. Companies need to ensure that they don’t give too much access to too many users. “It’s not just a technology problem. You have to have the people and processes to support it,” Watts says.

According to the Cybersecurity Insiders survey, 47% say that overprivileged employee access is a top challenge when it comes to deploying zero trust. In addition, 10% of companies say that all users have more access than they need, 79% say that some or a few users do, and only 9% say that no users have too much access. A Dimensional Research study, conducted on behalf of BeyondTrust, found that 63% of companies reported having identity issues in the last 18 months that were directly related to privileged users or credentials.

4. Third-party services

CloudFactory is an AI data company with 600 employees and 8,000 on-demand “cloud workers.” The company has fully adopted zero trust, the company’s head of security operations Shayne Green tells CSO. “We have to, because of the sheer number of users we support.”

Remote workers sign in with Google authentication through which the company can apply its security policies, but there’s a gap, Green says. Some critical third-party service providers don’t support single sign-on or security assertion markup language integration. As a result, workers can log in from an unapproved device using their username and password, he says. “Then there’s nothing to stop them from stepping outside our visibility.” Technology vendors are aware that this is a problem, according to Green, but they’re lagging and they need to step up.

CloudFactory isn’t the only company to have a problem with this, but vendor security issues go beyond what authentication mechanisms a vendor uses. For example, many companies expose their systems to third parties via APIs. It can be easy to overlook APIs when figuring out the scope of a zero-trust deployment.

You can take zero trust principles and apply them to APIs, says Watts. That can lead to a better security posture–but only to a certain extent. “You can only control the interface you expose and make available to the third party. If the third party doesn’t have good controls, that’s something you typically don’t have control over.” When a third party creates an app that allows their users access to their data the authentication on the client could be an issue. “If it’s not very strong, someone could steal the session token,” says Watts.

Companies can audit their third-party providers, but the audits are typically a one-time check or are performed on an ad-hoc basis. Another option is to deploy analytics which can give the ability to detect when something being done is not approved. It gives the ability to detect anomalous events. A flaw in an API that is exploited might show up as one such anomalous event, Watts says.

5. New technologies and applications

According to a Beyond Identity survey of over 500 cybersecurity professionals in the US this year, handling new applications was the third biggest challenge to implementing zero trust, cited by 48% of respondents. Adding new applications isn’t the only change that companies might want to make to their systems. Some companies are constantly trying to improve their processes and improve the flow of communication, says John Carey, managing director of the technology solutions group at AArete, a global consulting firm. “This is at odds with the concept of data trust, which puts barriers in front of data moving around freely.”

That means that if zero trust is not implemented or architected correctly, there might be a hit to productivity, Carey says. One area this can happen is AI projects. Companies have an increasing number of options for creating customized, fine-tuned AI models specific for their businesses, including, most recently, generative AI.

The more information the AI has, the more useful it is. “With AI, you want it to have access to everything. That’s the purpose of AI, but if it is breached, you have a problem. And if it starts disclosing things you don’t want, it is a problem,” Martin Fix, technology director at technology consultant Star, tells CSO.

There’s a new attack vector, Fix says, called “prompt hacking,” where malicious users try to trick the AI into telling them more than they should by cleverly wording the questions they ask. One solution, he says, is to avoid training general-purpose AIs on sensitive information. Instead, this data could be kept separate, with an access control system in place that checks if the user asking the question is allowed access to this data. “The results might not be as good as with an uncontrolled AI. It requires more resources and more management.”

The underlying issue here is that zero trust changes how companies work. “Vendors say it’s easy. Just put in some edge security where your people come in. No, it’s not easy. And the complexity of zero trust is just beginning to come out,” zero trust leader for the US at KPMG Deepak Mathur tells CSO. That’s one big flaw that zero trust never talks about, he says. There are process changes that have to happen when companies implement zero trust technologies. Instead, too often, it’s just taken for granted that people will fix processes.

Source: csoonline

Check Also

CISA

CISA reveals 2 Industrial Control Systems Advisories

On October 1, 2024, CISA released two advisories regarding Industrial Control Systems (ICS), highlighting current …

Leave a Reply

Your email address will not be published. Required fields are marked *