The weakest vulnerability in your organization isn’t an unpatched system, an easy-to-guess password, or a beleaguered security team.
Instead, the most important vulnerability is something much broader and harder to manage: trust.
Over the last few weeks, we’ve seen a spate of cyberattacks using a mixture of exploits and aimed at a number of sectors that all use trust to break organizational security:
- The SolarWinds attack used a trusted update system to install malicious code in up to 18,000 organizations, including the Pentagon, the Department of Homeland Security, the National Nuclear Security Administration, hospitals, and major media outlets.
- Last week, a new campaign orchestrated by the same group behind SolarWinds (Nobelium) hacked U.S. AID’s email provider, Constant Contact, to send emails containing malicious URLs to roughly 3,000 accounts at more than 150 international development and human rights groups.
- Hackers are leveraging changing COVID-19 restrictions to send fake emails ‘from’ Chief Information Officers to steal employees’ credentials.
(We don’t know for sure if the group that forced JBS Foods to shut down operations in the U.S. and Australia relied on similar tactics, but we’ll continue monitoring the story to see how trust played a role.)
Across all of these exploits, the bad guys are sending links or installs from a supposedly trusted source. Adapting to this can be challenging: in a complex, remote, work-from-anywhere society, we need to trust our colleagues, vendors, and systems to do our work, place orders, make and receive payments.
Users need trust. But organizations can’t afford it. Online, trust can be a major liability.
We’ve discussed zero trust before: it isn’t a part number or a product. There’s no SKU for it or quick order form to buy it.
Instead, zero trust is a principle – it’s a mindset that security teams should start developing. Broadly, zero trust is the classic ‘least privilege’ mindset, just expanded to a wider scale. It’s a way to make the right cost/benefit tradeoffs to protect what matters most without slowing down your users or breaking your business.
One of the most effective ways to move toward zero trust is to prioritize identity and remember that identity access management (IAM) and identity governance administration (IGA) are expansive. They apply to your users, resources, applications and your vendors: to apply zero trust’s ‘never trust, always verify’ model, you need to begin by setting governance policies to grant the right access to the right users and maintain your list of their roles and privileges. Businesses need a better, faster, and smarter ways to track and control that information.
Again, IAM and IGA are expansive: the recent Nobelium hacks underscore the need to inventory all systems and access and provide strong authentication. Enterprise-wide, cloud-based systems like Office 365, Salesforce, Slack, and Constant Contact need stronger, risk-based authentication to ensure cloud security and protect both personal identities and sensitive organizational material. Moreover, the hacks also demonstrate the need for businesses to eliminate our vulnerability to stolen passwords and login credentials (and recoup significant savings) by going passwordless.
By identifying, managing, and reducing the amount of trust we give to users and resources, we can benefit from our connections and limit the damage that they can do to us, our colleagues, and our businesses. Ultimately, zero trust isn’t a destination: it’s a journey that we take, one in which we constantly learn and re-learn the trade-offs we have to make in an online world. Increasingly, it’s becoming a journey worth taking.