ZERO! Well, that is "zero trust", I mean.
We humans are so trusting. We trust our parents, our teachers, our clergy, our scientists, and even our politicians. Really?!
With all the news articles regarding abuses and unforgivable actions by all the above authority figures in our lives, I am amazed that people are still so trusting of emails, text messages, phone calls from people they do not know or are acquaintances.
The consensus in cybersecurity is to stop trusting anything or anyone and verify every transaction or request. You will read more and more about "zero trust" and programs that assist you with this new security concept. It is simple to follow - do not trust any user and verify everyone or any device you use, connect to, or communicate with. Bring your own device (BYOD) is an absolute no-no with zero trust. If the device is not managed and secure, how can you trust it? Work from home (WFH) exacerbates this issue with people using home computers or networks that are not well protected or maintained.
Zero trust also means verification and validation of internal users and devices. Do you have open ports in the office that anyone can plug into and get a connection? Do you share your Wi-Fi password? I see Wi-Fi passwords posted in offices all the time. Does your system monitor and alert when new devices are plugged in and connected? Does anyone pay attention? All these situations help demonstrate why zero trust is necessary.
Email accounts are compromised (hacked) every day. Why? Passwords are weak or easily cracked. "Zero trust" says use an additional verification step to confirm identity. Send a text code to a predetermined phone, require a pin from an authorization app or "fob", or call and phone verify personal information. Is the attempted login originating from a local internet connection or location that is approved? Or is it coming from North Korea or China? "Geofencing" - the use of location tools to block unusual locations, is a way "not to trust" the original request when something does not make sense geographically. Think about the time your credit card got blocked when you were traveling out of state. The credit card company wanted to make sure your credit card was not lost or stolen.
What is the Microsoft Zero Trust Framework?
"Microsoft has adopted a modern approach to security called “zero trust,” which is based on the principle: never trust, always verify. This security approach protects our company and our customers by managing and granting access based on the continual verification of identities, devices and services." This quote is from Microsoft’s website. I am sure you are getting more frequent prompts to login and verify your Microsoft sign-on with Office 365. Microsoft will alert you of unusual account activity as well. Third party companies have solutions to monitor this activity across all your devices and software applications.
Zero trust also requires not giving administrative permissions to users and not letting admins use their admin account for daily routine tasks. "Hardening" means tightening up security, turning off unnecessary services and access, and 24x7 monitoring of all activity.
Network isolation and separation is another principle and tactic used to create a zero trust environment. The major Target breach occurred because the HVAC system controls were on the same network as the point of sale system. By getting into the HVAC system, hackers were able to connect to the credit card systems. Today, isolation and virtual LANS (VLANs) are not just for voice and data. They can be used to separate the “Internet of Things” (IoT) connected devices. Cameras, thermostats, refrigerators, door locks and hundreds of other Wi-Fi connected devices should not be sharing your primary data network.
If you have not had a recent security assessment or would like to get a second or third opinion, visit our website at justinc.com/shieldact or give us a call at 833-CALL-JSI.
About the Author
As the Vice President, David Wolf is a technology visionary and serial entrepreneur with over 30 years of experience in the IT industry. David has achieved the highest industry security certifications of CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), and CCISO (Certified Chief Information Security Officer). He enjoys using his technical expertise to help fellow business owners get the most out of their IT.