As more critical data and business information is stored on an organization’s network, we face an increasing risk of cyber breaches and attacks. Any device that connects to the internet, including a seemingly innocuous mobile app or a massive enterprise computer system, leaves vulnerabilities that hackers can exploit to access and steal sensitive data.
Cybercrimes are increasing at an alarming rate, putting cybersecurity at the forefront of governments and businesses around the world. With many high-profile breaches, companies understand the potential risks to their finances and reputation if they don’t step up their security.
Most cybersecurity measures focus on protecting sensitive information from malicious actors outside the organization. But what about the threat from within?
Some of the most damaging and high profile attacks in recent years have been the result of insider threats – compromised identities. Whether accidental or intentional, these threats leave a huge void in a company’s cyber risk.
The threat from inside your company
Some of the biggest breaches we’ve seen recently have been carried out by nefarious parties in foreign countries or massive technological failures that left businesses vulnerable at the wrong time. We can sit and watch with some degree of withdrawal, assuming we are not at the same risk.
Unfortunately, that couldn’t be further from the truth. Of course, major breaches like SolarWinds and Colonial Pipeline were carried out by sophisticated parties in other countries, but they came from the same source: compromised identities.
Take the SolarWinds breach, for example. It was a sophisticated attack by foreign hackers, but its source was compromised credentials. Hackers waited for the best time, which was during a routine software update.
Many parts were in motion for the breach to occur. The compromised identity had to download a contaminated update and deploy it, then they had to connect to the internet to give the attacker the chance to communicate with the servers.
The results have been enormous. The hackers found their way into the Cybersecurity and Infrastructure Security Agency, or CISA, of the Department of Homeland Security. Embarrassingly, this is the same organization that protects federal computer networks from cybercrime.
However, this situation is not limited to SolarWinds. The Colonial Pipeline Attack also came from compromised credentials in the form of a password. The hackers were able to infiltrate the system to achieve their goal: to disrupt the fuel supply to the Southeastern United States via key conduits that carry fuel from Gulf Coast refineries to the entire East Coast.
In this case, simply implementing multi-factor authentication could have prevented hackers from gaining access. If the attacker had to go through this extra step and failed, he would not have had access to the network to achieve his goal.
The reality is that no matter how stringent a cybersecurity protocol, people remain the weak link. Regardless of industry or company size, people are always involved in the process and can create openings for hackers, intentionally or unintentionally.
Here are the main types of insider risk:
- Human error: Human error is always a risk when people are involved. Simple mistakes, such as stealing a device or sending confidential data over an unsecured network, can end up creating an opening for a hacker. The error may be small, but the results can be amazing.
- Password leaks and malicious intent: People will always be prone to mistakes and oversights that can lead to a security vulnerability, but sometimes employees willfully leak passwords and other information to harm the business or for financial gain.
- Misused identities: Cybercriminals know people are a weakness and often try to steal identities to gain access to a network. This can be done with malware or phishing attacks, credential theft, etc. Once the hacker has access to the system, he can move freely to find the information he wants.
Worse still, when the threat comes from trusted sources, it is not detected as quickly. Hackers can also cover their tracks and erase any evidence of their activities to make it more difficult for a forensic investigation to reveal the source.
Restrictive security policies are important for preventing and defending against cybercrime, but they don’t always include plans to handle compromised identities. Additionally, stringent cybersecurity measures can be a barrier to innovation and productivity.
Implementation of zero trust
Accompanied by a comprehensive cybersecurity protocola Zero Trust architecture should be implemented to improve the user experience while meeting the security needs of an organization.
With zero trust, the basic principle is that everything comes from an untrusted source. The network is no longer trusted for the sake of it, and everything is assumed to be a violation unless proven otherwise – never trust, always verify.
This model requires all users to be authenticated, authorized, and validated before they can access applications, the network, or data. The implementation of least privilege access and micro-segmentation also prevents hackers from moving laterally through the system. If a breach occurs, the scan can be used to detect and respond to threats.
Zero trust is based on these principles:
- Scalable scope: Traditional cybersecurity once required the protection and defense of the perimeter, or “castle wall”. With teleworkers and cloud storage centers, perimeter protection is no longer enough. Zero Trust integrates security across the entire network.
- Verification and authentication: All users must be authenticated and verified against available information including device service, location, identity, workload, etc.
- Principle of least privileged access: The principle of least privileged access provides privileged access only when needed. Instead of maintaining privileged access at all times, this principle only gives users the access they need, and only for as long as they need it, and then it is taken away.
- Assume a violation: Zero trust is not only designed to prevent threats, but it minimizes damage if a threat occurs. With microsegmentation, users have limited access to deal damage and the “blast radius” of the breach is minimized. In the event of a breach, the scans can be used to determine threats and improve defenses.
- No inherent trust: The Zero Trust architecture assumes that everyone is guilty until proven guilty. All requests for applications and services must first be verified, at the perimeter, before access is granted.
- Workforce, workplace, workload: Workforce refers to establishing user and device trust levels to assign privileges. The workplace refers to the implementation of trust-based access control. Workload refers to the prevention of unauthorized access within segmented networks.
- Continuous trust verification: Users must establish trust by verifying their identity in several ways, including multi-factor authentication and device location. This guarantees the least privileged access.
Zero trust is a holistic approach that considers multiple entry points, such as:
- Identities: Every identity is verified and secured with authentication
- Endpoints: Compliance and health must be verified before access is granted
- Applications: Appropriate in-app permissions, secure analytics-based access, and monitoring and control of user actions limit app risks
- Data: Perimeter-based protection is secondary to data-based protection. Intelligence classifies data, while encryption and access restriction limit access based on existing policies.
- Infrastructure: Telemetry is used to detect suspicious behavior and detect attacks.
- Network: The network is fully protected with encryption, limited access, microsegmentation and real-time threat detection.
Combat security threats from compromised identities
Zero Trust has been around for over a decade, but in a world facing increased cybercrime, it has never been more important. Companies have a wealth of sensitive data and geographically dispersed teams and networks, requiring more than just perimeter protection. Compromised identities pose a cybersecurity risk to any organization, and the best way to increase security is with least privileged access and zero trust guiding principles.
About the Author: Joseph Carson is a cybersecurity professional with over 25 years of experience in enterprise security and infrastructure. Currently, Carson is the Chief Security Scientist and Advisory CISO at Delinea. He is an active member of the cybersecurity community and a Certified Information Systems Security Professional (CISSP). Carson is also a cybersecurity advisor to several governments, critical infrastructure organizations, and financial and transportation industries, and speaks at conferences globally.