Zero trust has been around for over a decade. But a 2021 presidential mandate will create a new urgency among US federal agencies and suppliers to implement it. Sensing a new way to sell products, security vendors are arguably hyping up the approach. However, as important as it may be in helping to mitigate cyber risk, it’s also worth remembering that zero trust is not a panacea.
Gartner warned recently that, over the coming three years, more than half of all cyber-attacks will be focused on techniques that zero trust controls can’t mitigate.
Traditional Security is Failing
Zero trust was originally devised in response to growing concerns about deficiencies in the classic perimeter-based security model. This ‘castle-and-moat’ approach – meaning no one outside of a network can access its resources, but everyone on the inside can – was fine when enterprise networks and their perimeters were fixed and clearly defined. But it’s no longer fit for purpose in a cloud and mobile-first world, where users might be logging on to access data via on-premises and cloud assets from anywhere on the planet.
As cybercrime evolved and dark web knowledge sharing accelerated the ability to launch sophisticated attacks, the stakes couldn’t be higher. An average breach costs nearly $4.4m globally today, rising even higher in some countries like the US ($9.4m) and sectors like healthcare ($10m).
Zero Trust to the Rescue?
Zero trust responds to these evolving trends by mandating that organizations follow the mantra ‘never trust, always verify.’ That is, users and devices should be continuously authenticated based on which resource they require access to and only be granted access according to ‘least privilege’ principles. Access controls themselves are simplified but enhanced with multi-factor authentication (MFA).
Undermining MFA
Now, that may seem like a pretty watertight set of principles. But it’s not a silver bullet for mitigating cyber-attacks. In fact, Gartner said in its report that attackers might try to bypass zero trust controls by “scanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own ‘bypass’ to avoid stringent zero trust policies.”
Take MFA as one zero trust capability. There are, in fact, several ways to circumvent access controls already gaining traction among threat actors. They could use SIM swapping to gain control of user devices and generate/harvest one-time passwords (OTPs). They could use man-in-the-middle attacks to steal session cookies and hijack entire user sessions, giving them access to authentication credentials. Or they could use social engineering – perhaps to gain personal details on the victim, which could be used for over-the-phone verification. Social engineering also plays a big part in ‘MFA fatigue’ attacks, where the targets’ mobile phones are bombarded with MFA push notification prompts until they finally accept one, giving the threat actor access. It was a method used to successfully breach Uber last year.
There are yet more ways to undermine MFA, and therefore the zero trust model plays a critical role. OTP bots are another one – helping to automate the interception of second-factor passwords.
The bottom line is that zero trust is an important advance in cybersecurity that will help many organizations to mitigate cyber risk. Nevertheless, it’s also vital to recognize the limits of zero trust and put in place additional security controls and processes where possible to ensure these don’t become a dangerous security blind spot.