Security for an age of zero trust

Transcription

1 Security for an age of zero trust A Two-factor authentication: Security for an age of zero trust shift in the information security paradigm is well underway. In 2010, Forrester Research proposed the idea of a Zero Trust security model1, one in which the lines of trusted or untrusted users were becoming increasingly hard to credibly define. While the perspective of Forrester was related to thoughtfully inspecting the firehose of data flow from networks for signs of compromise, another view can be taken on this topic: how can we add trust back into the equation of users and network security?

2 Redefining the perimeter of information security At its core, information security is about control. The underlying goal of any security technology is to remove potential power from an attacker and shift it back into the hands of the good guys. The increasing decentralization of data and technology, caused by using cloud computing and mobile technologies, creates an increasing challenge for organizations to regain control. The days of single-vendor computing are gone. With a plethora of powerful and agile technology companies innovating daily, trying to model an information security program around one platform is nearly impossible. Without being able to maintain control, however, the trade-offs between risk and reward can be hard to reconcile. In light of this, the goal for an information security team or network administrator should be to answer the question, How can I leverage the agile nature of modern computing without losing control?" The underlying goal of any security technology is to remove potential power from an attacker and shift it back into the hands of the good guys. The Deperimeterization of Computing The rate at which users are going mobile and in-house applications are headed to the cloud has created an uncomfortable set of circumstances for a walled-garden information security program. With a lack of well-defined walls, how does an organization implement controls in a way that makes sense to their existing model llof security? The traditional wrapper of a firewall, IDS, and network virtual LANs aren t readily available for a majority of cloud related solutions, especially ones operating within the Software-as-a-Service (SaaS) model. There s a direct lack of control the farther you move up a typical cloud application stack. For many organizations, the ability to deploy a firewall or network ACL is a rarity in this evolving landscape.

3 The reality of deperimeterization Consider a business which has moved their Customer Resource Management (CRM) platform to a cloud service provider. Previously, in order for an attacker to gain access to private customer data, the attacker likely had to go through the following steps: Identify the company s external network space Determine potential external network or web application vulnerabilities to attack Attempt an attack, fail, and try again until one allows access into the network Completely bypass the Intrusion Detection System (IDS) system Locate the internal network host which provides CRM management Pivot from one VLAN to another where CRM access is available Steal an employee's credentials who has access to the data Leverage the stolen credentials, steal data, and transmit it out of the network, undetected In a cloud model for the same software, an attacker s steps are streamlined to: Find out which SaaS CRM the organization uses Phish or brute-force accounts for users (found on social media) at the company Login to the SaaS CRM with the credentials, click Export Data, and close the browser The adage that an increase in convenience is often to the detriment of security applies to this and many other scenarios concerning deperimeterization and security. By removing traditional security controls from the equation, the security of high value data is now more easily accessed by an attacker. Increased risks and increased exposures Not only are enterprises removing their traditional data security perimeters by increasing their use of cloud service models, but so are their end-users. With the advent of Bring Your Own Device (BYOD), consumer-facing SaaS offerings like

4 DropBox, and a seemingly endless choice of social networks, end-users contribute to the blurred lines between personal and business data and separation of privilege. While an organization s users may adhere to reasonable best practices for that organization s data, users may not be aware of security missteps they re making in their use of new technologies. From issues such as reusing corporate passwords on random Internet sites, to leaving data within third-party file sharing services, users are increasing the potential exposure of data and their own credentials. Authentication is the unifying factor and attackers know it While traditional network security models may be crumbling, the presence of some form of authentication control is still universally applied. Whether an end-user connects to a corporate VPN, a SaaS CRM, or a social network, authentication still provides the separation between immediate compromise and a fighting chance for data security. Attackers have been emboldened by the ease with which data can be stolen. No longer are they required to jump over a dozen hurdles to steal a corporation s data. In many cases, simply logging in as a user with stolen credentials will provide an organization s intellectual property in minutes. Because of this, attackers are focused more than ever on cracking password hashes, phishing credentials, bruteforcing logins, and all of the other common attacks against password-based authentication models. The Failure of Passwords According to Mandiant s research, 100% of security breaches involve the use of stolen credentials 2. A decade ago this statistic may have been more shocking, but it makes sense when you consider the prevalence of password reuse and success rates of attacks against user credentials via phishing and other methods. Because attackers no longer have to breach carefully deployed layers of a network to access

5 data, attackers have shifted their efforts to determining the easiest ways to gain access to an individual s credentials. Instead of spending time writing complex exploits for network software, attackers are simply sending your employees a phishing . All they have to do then is wait for someone to be tricked into giving them the inbound credentials that will allow them to access your organization s data. That scenario may not make an exciting of a story, but the results can be devastating. The reality of passwords and the end-user Because attackers no longer have to breach carefully deployed layers of a network to access data, attackers have shifted their efforts to determining the easiest ways to gain access to an individual s credentials. While hard-to-guess passwords have been a security best practice for decades, we continue to see weak passwords used in high volumes 3. The common use of weak passwords is revealed every time there is a public breach of an online service. In 2007, Microsoft Research found that the average web user had 25 accounts but only utilized 6.5 passwords among them 4, which is understandable, because who can keep 25 passwords in their head? In Internet time, a lot has happened since It s no stretch to assume that today the number of per-user accounts is more like 50 while the number of passwords is probably the same. With so many accounts to maintain, reusing passwords is likely the only way the average end-user can manage to remember them all without deploying a sticky note on their monitor. Even using password management software like LastPass is more complexity than the average user wants to deal with. If authentication fails, other security controls may not help Attackers succeed with stolen credentials because the act of impersonating a user is generally undetected by security controls. Users by their very nature interact with systems and data, which makes it exceedingly difficult to detect anomalies in most cases. Unless an attacker really makes their presence known, a system administrator will likely never notice there has been a breach.

6 When a user logs into a Virtual Private Network (VPN) they are often granted privilege and access similar to what they would have if they were physically in an office. By authenticating to the VPN an attacker can bypass traditional security controls such as a firewall and IDS, giving them direct access to data and infrastructure. This is just one example of how authentication is not just another layer of security, but rather a keystone to to the success or failure of many other mechanisms. Two-Factor Authentication Whether cloud or on-premise, mobile or local, the authentication of users remains a consistent part of the information security landscape. If an organization can strengthen their authentication mechanisms, the power shifts away from the attackers and back into an organization s favor. When a company utilizes two-factor authentication, attackers are unable to login with a set of credentials that they were able to compromise. This additional factor strengthens your password perimeter from a chain link fence into a brick wall for an attacker. Whether those credentials were stolen from a password-leak of a popular web site, guessed through a brute-force attack, or lifted during a phishing campaign, the attacker is out of luck. By using something that you have (such as your mobile phone) in combination with something that you know (like a password), the ability for an attacker to login as you becomes extremely difficult in a majority of cases. While an attacker in a foreign country may be able to steal your password online, they will not likely be motivated to hop on a plane to steal your mobile phone as well. As the deperimeterization of computing continues, authentication is the only place that strong security controls can be applied ubiquitously across the enterprise. When walls cease to exist, consistency of vendor disappears, and traditional security models no longer apply, authentication is the best hope for strong security to remain in-tact.

7 Two-factor, beyond other security controls, can be applied broadly from web applications to servers. In the never-ending fight for control, two-factor gives a fighting chance against the attackers who have nothing but time to break in and steal your organization s data. Duo Security is a pioneer in providing simple, secure, and affordable two-factor authentication solutions for business. Learn more at While an attacker in a foreign country may be able to steal your password online, they will not likely be motivated to hop on a plane to steal your mobile phone as well. 1. Build Security Into Your Network s DNA: The Zero Trust Network Architecture, Forrester, Published: November Dispelling The Myth: Bar of Security, Mandiant: 3. The science of guessing: analyzing an anonymized corpus of 70 million passwords, University of Cambridge, Published: May "A Large-Scale Study of Web Password Habits", Microsoft Research, Published: May 2007