The fall of passwords and the rise of Zero Trust
In this digital age where technology has continued to evolve, data breaches have also evolved. Unfortunately, the password security strategy has always remained the same. Given below are some statistics related to passwords.
- 52% of data breaches were caused by malicious attacks, and each breach costs on an average $4.27 million
- 80% of hacking-related breaches are linked to passwords
- 50% of professionals reuse passwords across workplace accounts
- 49 % sometimes or frequently share passwords with colleagues
- 37% of employees in technology and software business use multi-factor authentication
The above statistics make it clear that passwords are the weakest defense in the cybersecurity world. Other studies have also shown that users are knowledgeable about their organization’s use of identity and access management systems.
Hackers find ingenious ways to steal passwords and privileged access credentials from an organization’s system. Thus, relying only on passwords as an effective authentication and security measure is ineffective. Instead, security measures based on the principle of Zero Trust is the needed one.
How Hackers steal data?
The Lockheed Martin Cyber Kill Chain framework identifies 7 steps hackers usually take to achieve intrusion and stay undetected for a longer time.
- Reconnaissance – This is the first step and it involves gathering information about people, hosts, and networks. A hacker may use tools or scan press releases, the internet, social media, and other networks to gain knowledge about the type of networks and hosts involved.
- Weaponization – Here the hacker uses the information gathered previously to prepare for an attack. This may include believable phishing emails or directing the victim to a fake page. The main intention is to capture the user name and password of the victim. The hacker now gains access to the network.
- Delivery – The hacker begins the attack through phishing emails with weaponized attachments or redirection to a fake page, or malware. The hacker waits for the user to open the attachment.
- Exploitation – In this phase, the hacker uses the user’s stolen credentials like user name and password to access the network probably from a remote location.
- Installation – To continuously access the network, the hacker installs a code for backdoor access and may establish admin rights and turn off firewalls and other protection mechanisms in the system.
- Command & Control – The hacker gains access to other computers and is in control of the network infrastructure. He/she has better access to data and other applications.
- Action on Objectives – Hacker now has the upper hand to perform his objectives. They have now access to product design, sensitive proprietary information and personal information, user data, and other confidential information to either monetize the data or use it to cause harm to the targeted organization.
Hackers have now become more sophisticated in their attacks and may not solely stick to only the above methods to gain access to the systems.
Why traditional cyber defense mechanisms don’t work
In the traditional setup, cyber defense is often emphasized on the perimeter because of the notion that attacks often happen from the outside.
Though this mechanism protects from some forms of cyber threats, it is unable to contain lateral movements from ensuing insider attacks.
Sometimes, hackers gain the confidence of internal resources or access to the passwords and gain access to the systems. Network infrastructure is unable to distinguish between a friend and a foe and therefore it is imperative to have mechanisms in place to detect anomalies.
A new approach is needed that combines the existing concepts of “converged security” with dynamic perimeter and “depth in defense” to the tenets of Zero Trust.
The principle of Zero Trust curtails attacks before it begins whether the origination of the attack is inside or outside the organization.
The trust no one concept
Zero Trust is a security model and not a specific technology. Traditional approaches based on perimeter security presumes that data flows and access to data located inside a protected network are trustworthy.
It assumes that an authorized access protection mechanism cannot be circumvented by unauthorized entities. But in this model, once the unauthorized user circumvents and gains access, free movement inside the protected zone or context is granted.
On the other hand, the Zero Trust model focuses on the data and demands that the flows and locations of the data and all data access are visible at all times.
No environment is trustworthy unless it has been explicitly validated against a predefined set of criteria. Any user, systems, and processes are validated before permitting any kind of action such as login, an automated process, or a privileged activity. That is why a Zero Trust model is referred to as the “Never trust, always verify” model.
Thus, Zero Trust is a general approach that is based on micro-segmentation and fine-grained access control policies that focus on protecting the data.
However, Zero Trust shouldn’t be seen as a rigid principle to be enforced in every detail. Moreover, Zero Trust implementation requires a prolonged transition process involving extensive technology adjustments.
However, many organizations already have elements of a Zero Trust model in their infrastructure which can be leveraged and incremental adaptation can be done.
Information security requires a fine balance between the stringency of the implementation, the associated security benefits, and the effects on usability and operability. It requires one to understand the principle, identify its usefulness and adapt them as per their requirements along with other measures and control.
Thus, we see that password protection alone is not sufficient especially in manufacturing and design, healthcare industry, and industries that use a lot of proprietary information. It requires a Zero Trust approach to secure the sensitive data.
- Zero Trust Model – Never trust, always verify, Tomaso Vasella and Marc Ruef (Editor) Research Department, scip AG
- An Essential Guide to Zero Trust Security- Dhiman Deb Chowdhury, MBA, DBA & Hesham Elbakoury INNOVAX TECHNOLOGIES, LLC| WWW.INNOVAXTECH.COM
Comments are closed.