Security Think Tank: How much digital trust can you place on zero-trust?
The year 2022 has been unabating in the number of high-profile breaches and cyber criminal gangs, on top of nation-state actors, participating in geopolitical conflicts. Companies across industries, including those in energy, tech and telecoms, continue to be breached.
With many countries relaxing lockdown rules following the Covid-19 pandemic, and as more millennials and gig workers demand it, companies continue with remote work-from-home practices. Zero-trust, as a principle and as an approach, has become more crucial in realising this future of work in the form of anytime, anywhere secure computing.
Digital supply chain attacks are increasing. Not too long ago, there was the SolarWinds Sunburst attack in December 2020 and then the Log4Shell attack in December 2021. There was a scare with the OpenSSL vulnerability released in early November 2022, but thankfully, it only impacted a very small number of installations.
As we look at what is happening around us in the digital world, is zero-trust truly a panacea in this acceleration of digital transformation, Industry 4.0, Everything 4.0, as some suppliers would lead us to believe?
To put things in perspective, zero-trust deployment and maturity differ from organisation to organisation. While there are many other considerations that could be highlighted, in my experience the following five points are worth noting in any pursuit of zero-trust in 2023:
Challenge of implementing zero-trust on the digital supply chain
Companies are still facing challenges creating inventories for the software components and libraries that various commercial and open source solutions and services use. After the SolarWinds and Colonial Pipeline attacks, the US president’s executive order in May 2021 highlighted the importance of software bill of materials (SBOM). Unfortunately, SBOM is still some distance away from being realised, and SBOM could not prove its worth in determining Log4J deployments when the Log4Shell attack risk was made known in December 2021. More needs to be done.
There is also a need to focus on zero-trust as part of a secure software development life-cycle (SSDLC). This must also include application programming interface (API) security, as increasingly, improperly secured APIs get targeted for data breaches. The deployment of zero-trust has to extend beyond SSDLC into enterprise architecture design and consider the management of developer and third-party identities and accesses.
We have seen how open source software and libraries – such as Log4J, OpenSSL and Libc – have been targeted in recent years. Although such software and libraries are maintained by volunteers, they have been heavily depended upon by commercial software. Even though the community has stepped up vigilance by forming open source bug bounty programmes, such as the Secure Open Source Rewards (SOS.dev) programme, much work is still needed in this space.
Another consideration is the increased reliance on single providers, including identity providers. Concentration risk needs to be assessed and managed. Defence-in-depth and defence-by-diversity with sound business continuity plans are still paramount in mitigating such risks.
Inadequate implementation of zero-trust to prevent MFA fatigue attacks
One fallacy in typical deployments of multifactor authentication (MFA) is missing blind spots, focusing on web-based authentication and forgetting about native authentication due to rich mobile clients, allowing such single-factor authentication backdoors to be exploited by intruders through credential stuffing attacks.
To rub salt into the wound, some of the recent eyebrow-raising attacks include MFA fatigue (also known as “MFA bombing”) attacks that resulted in breaches at Uber, Microsoft and Cisco.
Therefore, the myth that MFAs – especially in their weaker forms, such as via SMS or push notifications – are silver bullets for preventing unauthorised access must be dispelled. Humans are still the weakest links despite MFA, as successful breaches have proved.
This MFA fatigue threat needs to be adequately modelled and evaluated to ensure that it is mitigated with the right protection and detection. Compensating controls may come in the form of FIDO hardware tokens or add-on trusted end-device authentication.
Zero-trust deployment not considering the major principle of assume breach
One very important principle of zero-trust that is often understated is assumed breach.
All too often, some identity and access management (IAM) product suppliers are quick to share how they can help enterprises achieve zero-trust. This is all well and good, except for the fact that they often cover the first two principles of i) verify explicitly and ii) use least privilege access, but not enough of iii) assume breach.
While the first two principles help to limit any attack blast radius and hinder a breach as it steps through the attack kill chain, the third and last principle is critical to effective and efficient detection and containment of a breach in the ability to detect fast, contain fast and recover fast. If we believe that breaches are inevitable, assume breach requires a bigger stage.
Assume breach entails: practising SANS active cyber defence; implementing the observe-orientate-decide-act (OODA) approach, which necessitates the need to subscribe to sufficient cyber threat intelligence (CTI); elevating the maturity of threat hunting processes, not just searching for indicators of compromise (IoCs), but indicators of behaviours (IoBs) and tactics, techniques and procedures (TTPs); using reliable behavioural-based tools; and deploying decoys, honeypots and security orchestration, automation and response (SOAR) solutions.
Such solutions, effective if deployed and maintained correctly, would be in vain if they are not supported by sound processes and trained professionals.
With the increase of triple-extortion ransomware and ransom cartels, it is important to zoom in on decoys. The deployment of time-based database honeytokens shortens incident response time by allowing an enterprise to quickly determine whether the source of a data leak arose from any system breach within the enterprise or was the result of a case of re-hashing of past leaked data from breach databases.
Zero-trust only considered in the realm of the digital
Let’s ask ourselves this question: would any of us allow the levels of sodium hypochlorite that is used to disinfect treated water we drink from the taps to be manipulated by an engineer working from a cyber café? Consider, in this scenario, that zero-trust principles are adhered in the digital realm, MFA is in place, there is protection against MFA fatigue attacks and only company-issued notebooks are authorised for such access.
Where lives are concerned, especially with critical information infrastructure (CII), zero-trust needs to consider the physical realm as well. Could the engineer be coerced under duress? Will their kids accidentally play around with the human-machine-interface (HMI) user interface as if it were just a game?
Physical security with preventive and detective controls – such as the deployment of security guards, electric fences, controlled biometrics access, CCTVs, and so on – are physical aspects of zero-trust that must be considered, especially for CII. Anytime, anywhere secure access is only comprehensively assessed when the physical realm is considered alongside the digital realm.
Cyber insurance as a panacea to risk transfer as part of assume breach principle of zero-trust
We have learned from interviews with ransomware groups that they favour targeting the clientele of cyber insurance companies because of guaranteed payouts. And with geo-political tensions, the risk of ransomware and killware attacks being categorised as act of war exclusions has elevated. Already this year, Lloyd’s of London is placing the requirement that cyber policies written in the insurance market have an exemption for state-backed attacks.
Also, insurance helps in financial recovery at best, and very little can be done against reputational damage. Therefore, good cyber risk governance must be the primary and predominant approach in dealing with growing cyber risks.
Good governance is not about the utopian view of eliminating cyber risk together, but in realising that there is no perfect cyber security and breaches are inevitable. It is about realising maximum business benefits while optimising risk and resources through adequate cyber resilience.
For zero-trust to work, the devil truly lies with the details. It is important to: regard industry nuances; consider cyber maturity, assumed breach, proper threat modelling, and a risk-based approach; and assess the physical realm on top of the digital realm in establishing both digital trust and business resilience.
Not least, I believe we can continue to forge ahead with great strides into 2023 and beyond by working more closely together in a global digital ecosystem, flipping the asymmetry of attacks by sharing threat intelligence and best practices through communities of practice, such as the professional bodies ISACA and ISACs.
We are as always only as strong as our ecosystem, and together we can journey with the right approaches towards digital trust and business resilience.
Steven Sim Kok Leong, CGEIT, CISA, CRISC, CISM, CDPSE, is a member of ISACA’s Emerging Trends Working Group