Zero Trust; a different approach towards network security

We live in an age of tremendous digital presence and fast growing online platforms. More than half of the world’s population has access to the internet [1], with average uses per household in America estimated on 270 GB’s per month [2]. To say we heavily use the internet would thus be a major understatement, and it seems to be of growing importance in our daily lives. It was researched that the average US adult will spend nearly 3 hours a day on their phone, of which 90% in applications [3]. This also drives the trend that more and more personal information is shared on social media websites (e.g. Instagram, Facebook and Tick Tock). That these companies do not necessarily take the security of your shared information seriously has been proven time [4], after time [5], after time [6]. This will introduce the theme of this article, which is regarding the consumers’ responsibility, but even more so, the new techniques which corporates can implement to safeguard that information.

A strong emphasis in this article is laid on the various ways companies can protect the network and thus your accounts, predominantly focusing on the various ways of login protection and their characteristics. The provided examples above can be seen as pessimistic, but far worse can be imagined when the impact extends to for example one’s personal life. A main topic besides what you share, is how you secure the account, in particular the strength of the password. 

Unfortunately, awareness still needs to make huge improvements. Since it is still common practice amongst customers and employees to use easy passwords for various websites (which contain personal information). This can easily have unimaginable consequences. Research was done by CNN [7] on the most commonly used passwords, which had “123456”, “123456789” and “querty” in their top 3 of most used passwords. These are easy passwords, since they only use either numbers or letters, and more importantly they can be found in that order on your keyboard. However, before you think “everybody is using them, perhaps I should do it as well”, there is a serious red flag to be taken into account. A list was brought out with passwords most commonly identified after a data breach, and surprise, surprise the top three is identical. The first password (“123456”) had even been identified a whopping 23.2 million instances. Thus, when hackers are looking to gain access, these are the first passwords they try.

image 1 – time it takes to hack a password [19]

Well if an easy password is not the way to go, a very complicated password provides the answer, right? Well the combination and length of a password do make the chance of getting hacked significantly smaller [image 1]. However if one has to change his/her password every month for example, at some point it might be hard to remember a password or you might lose creativity. Something like “azerty12345” or “Warningpoint1” are relatively strong but perhaps hard to remember. This is where human ingenuity might come to play a role, which can be considered a privacy officer’s worst nightmare. Since, this is where sticky notes or notebooks come to the scene and before you think who would ever write down their password, you’d be shocked by the answer. A survey was conducted [8] in which a 1000 people were asked about their password habits. Over 38% of the participants stated that they had passwords written down on a piece of paper (in the past or currently). What is the possible harm in this, some might ask themselves. One still needs to access the system, know the username and/or have a motivation to do so. This is perhaps the same motivation as the following two cases had regarding writing down their passwords. 

  • TV5Monde, a French television broadcasting company conducted an interview with David Delos for the television show “13 Heures” in 2015. During this interview Delos was standing in front of a workstation which had a load of papers and post its on it. One of these notes contained the passwords for their Instagram, Facebook and Youtube channel. On Facebook, posts were made and the profile picture was changed, before the passwords were changed. The password of their youtube channel was “azerty12345” [9].  
  • Hawaii emergency agency, is responsible for managing emergency and crisis situations in Hawaii. In 2017, an interview was conducted, which had a sticky note visible in the background stating the password “Warningpoint2”. This didn’t attract much attention, until in 2018 there was a warning message sent out stating that there was a ballistic missile threat nearby the island of Hawaii. Later on, this turned out to be a hoax, and the message was retracted. Nonetheless, the citizens of Hawaii received a huge scare. The Hawaii emergency agency stated that these two events were unrelated and that the missile statement was sent out due to human error. The password was supposedly for a non-essential internal application, but there are many skeptics saying this was due to the agency being hacked [10] [11]. 

Obviously, these are examples with a big impact, but they could act as a warning signal that one should not write passwords down but try to remember them.

Both of these could have been prevented by multi-factor authentication or zero trust security, which will form the basis for this article, as they are two ways to further enforce the user’s privacy and increase network security. 

 

Multi Factor Authentication

To overcome the weakness of a password, which is either too easy or written down (because it is too hard) there is the possibility of Multi Factor Authentication. Most of how this  technique works is implied by its name, you need to go through more factors before you get acces. Probably you are familiar with receiving a text message including a randomly generated code, which you need to provide on another device in order to log in. The advantage here is clear, you need a second device that you indicated as your own in order to authenticate yourself. So even if someone has your password, they don’t have your phone, hence your account is more secure.

However, there are many ways and layers to the Multi Factor Authentication and not everything makes something Multi Factor Authentication. Basically, we can say there are three to four types of factors, physical, memory, an unique identifier and sometimes geographical factors [12] [13]. Physical makes sense, since you have a physical key in the form of an usb or even a bank card. For memory it is something you know, like a password, a pin code or a test question. When checking for an unique identifier, think about your fingerprint, face, eyes or even your voice or patterns in behaviour like typing, it must be certain that this factor identifies you without others being able to copy it. Finally we have geographical which is about the location where you are at that moment. 

So the example with your phone definitely is a Multi Factor Authentication method. But there are more simple examples, probably the Multi Factor Authentication which is used the most, is your bank card with a pin, online login at banks also uses multi factor authorization. Since, you truly have two objects, one physical (either bank card or a small log in machine at the bank [14]) and one of memory. Clearly, with the surge of the smartphone, the possibility of applying Multi Factor Authentication has increased and the costs have decreased. Therefore you can already find multi factor authentication implied at many accounts.

However, there are a few things one should consider here, most importantly, the extra security by mobile phone is limited, as there are several ways to still get by this extra factor (for example cloning your phone number). Besides, there is the consideration of the burden which this extra login method brings on users [15]. Since you always need to have your phone with you, have a signal and take longer to log in. Is there no easier way to go forward?

 

What is Zero Trust Security?

Earlier in the article, zero trust security was named as one of the possible solutions alongside multi factor authentication. By now several issues within multi factor authentication, such as the prolonged time of logging in with each approach to the network and the fact that hackers can still get past the Multi Factor Authentication. Still another way of managing authentication and authorization is needed in order to sufficiently secure companies. During the World Economic Forum (WEF) [16] the world leaders from different sectors spoke on several issues such as sustainability and cyber security. On the topic of cyber security they concluded that a lot of improvement needs to take place in order to protect the economy. At the moment, they say, nearly 50% of companies fail to assess their hardware and software suppliers’ level of cyber risk. Hackers are proactively working to identify and exploit the weakest links in a value chain. The Zero Trust Security model should, according to the WEF [16], be the norm in securing the entire supply chain. 

Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are taking place within or outside the network perimeter. By removing the assumption that anything within the firewall should automatically be trusted, movement within the network is restricted. Phishing attacks and other attacks from within are thwarted, resulting in a safer network and safer data [17].

The strict identity verification concerns the back end and not what the users do. Zero Trust security basically conducts a risk assessment of every request to gain access to the network, but also of requests within the network to gain access to certain segments or information. Instead of assuming that every user within the network is safe, it declines this bias and works on the assumption that every user is a potential threat of a security breach [18]. Hence, all access requests are authenticated, authorized and encrypted within the network. Upon managing all requests within the network, it also manages the authentication process needed to log onto the network through contextual access management. “Contextual access management adds multiple facets to this process by judging every request within its context. In other words, it’s a system that makes decisions to grant or deny access based on a host of factors, not just the user’s role—factors like the location, the device, the type of request, and the timing of the request are weighted as well.” [19]. Thus, before providing an opportunity to log on to the network a risk assessment is constructed and correspondingly provides either a simple login option or a more advanced one based on it’s assessment. For instance, if it is a managed device from within the vicinity, the risk of this user being a hacker with malicious intent is negligible. In that case a simple login opportunity is provided such as a 4 digit numerical password. However, if the user is working from an unmanaged device and is located in Somalia, there is a high chance the user is not authorised to have access to the network. In this case, the zero trust security model will require a multi factor authentication before access is granted. 

Even if the hacker gets past this, the zero trust security framework will minimise the possibility of lateral movement by the hacker within the network. It does so through micro-segmentation and least privileged access principles. Upon that, rich intelligence and analytics are utilised in order to respond to anomalies in real time. Thus, Zero Trust Security is not only managing the access point and the authentication but also provides the internal IT/security department with insights and tools to minimise the chance of security breaches.          

Summarising the above, Zero Trust Security is based on the following five fundamental elements:

  • The network is always assumed to be hostile
  • External and internal threats exist on the network at all times
  • Network locality is not sufficient for deciding trust in a network
  • Every device, user, and network flow is authenticated and authorised.
  • Policies must be dynamic and calculated from as many sources of data as possible.
    [18].

 

Implementing Zero Trust Security

Now that it is clear what Zero Trust Security is, what is needed to implement it within your company? Zero Trust Security is not a technology which can simply be implemented, it is more a framework which manages the use of several tools and data analytics. Leveraging tools such as security information management, advanced security analytics platforms, security user behaviour and other analytics systems assist security experts to observe all activities and detect anomalies. If anomalies are detected it also enables the security expert to organise the defences more intelligently [17]. Using machine learning also enables the defensive measures to detect anomalies faster when it is implemented for a longer time. Hence developing a proactive security approach which applies security measures before an actual incident takes place. 

When you are reading all of this you might find it surprising to hear that although Zero Trust Security is on the rise, in absolute terms it is not implemented by that many companies. This is due to difficulties and time constraints associated with implementing the zero trust security model. One of the main issues is the lack of off-the-shelf solutions, which can be implemented straight away. There are several tools available, but the combination of these tools will probably not secure the entire network. The lack of security caused by this combination of tools has in the past led to only partial implementation of solutions and subsequently has provided an opportunity for hackers to gain access to otherwise restricted networks. As mentioned, another issue concerns the time and cost of implementing the model. Given that the zero trust security model is relatively new, being developed in 2010 [18], most networks are not built using the model. This in turn means that when implementing the model, it also needs to be adjusted to the network which is in place. Consequently, a network analysis needs to be conducted in order to determine network hardware, services, traffic and so on. After this, all of it needs to be secured in accordance with the zero trust security model. This leads experts to suggest that the implementation project should be considered in years instead of months. 

 

What are the implications to Cyber Security?

As explained in the beginning, hacking is on the rise and hacks take place at any company. To quote Robert Mueller (former director of the FBI): “the question is not if a company gets hacked, but when a company gets hacked”. In a time when security breaches happen at an increasing rate, sufficient security should be on top of every company’s to-do list. How to assure sufficient security is a question which correspondingly is relevant for all companies. Often, part of the security is upgrading password requirements and forcing quarterly renewal of the password. However, this also leads to behaviour amongst employees which endangers the security. Consequently, a way should be found to upgrade the security level without causing reckless behaviour. One way to do so is the implementation of multi factor authentication, even though it can frustrate employees, it is an improvement in the process of granting access to users and prevents unauthorized access to systems and applications. Besides the possible frustration, there are still possibilities for hackers to bypass the multi factor authentication. Optimally, companies start implementing zero trust security models, leading to a network environment which is not only protected at the point of entrance but also secures the network from within and prevents hackers who have gained access to roam free within the network. 

Hence, instead of merely controlling the password settings and configuration, organizations should focus on the implementation of zero trust approaches to security to improve the security within the company without causing negligent and risky behaviour amongst their employees. This does not make the usage of passwords obsolete, but it does make generating difficult passwords obsolete. Since it is no longer seen as an added value. Obviously there are challenges when implementing zero trust security, as addressed earlier in this article. However, the time constraint also means that implementation needs to start now in order to be well protected in the future. During the implementation of zero trust security multi factor authentication is implemented as well, which when assessed vital by the indicators will be forced upon the user. 

Taking all of these facts into consideration, zero trust security models should be implemented widely as a security solution. Preventing most of the current hacking techniques to be effective and mitigating damages when hackers gain access. In order to achieve the increasing implementation of the zero trust security model, a change of mindset and the way we look at cyber security is needed. It is no longer sufficient to only protect the network at the entrance gate through firewalls and corresponding measures. Instead all requests and actions within the network as well as requests to gain access should be treated with zero trust.

 

Sources:

  1. J. Clement, 2019: “Internet usage worldwide, statistics & facts” retrieved in February 2020 from: https://www.statista.com/topics/1145/internet-usage-worldwide/
  2. P. Britt, 2019: “Report: U.S. Household Broadband Data Consumption Hit 268.7 Gigabytes in 2018” retrieved in February 2020 from: “https://www.telecompetitor.com/report-u-s-household-broadband-data-consumption-hit-268-7-gigabytes-in-2018/” 
  3. Y. Wurmser, 2019: “US time spent with mobile 2019” retrieved in February 2020 from: https://www.emarketer.com/content/us-time-spent-with-mobile-2019
  4. K. Webb, 2019: “The Russian Photo App That Makes You Look Old Is Probably Keeping Your Data” retrieved in February 2020 from: https://www.sciencealert.com/viral-russian-app-that-makes-you-look-old-is-probably-keeping-your-data
  5. H. Osborne, H. J. Parkinson, 2018: “Cambridge Analytica scandal: the biggest revelations so far” retrieved in February 2020 from: https://www.theguardian.com/uk-news/2018/mar/22/cambridge-analytica-scandal-the-biggest-revelations-so-far
  6. B. Nagtegaal, 2018: “Gegevens van 500 miljoen hotelklanten gestolen bij hack Mariott” retrieved in February 2020 from: https://www.nrc.nl/nieuws/2018/11/30/gegevens-van-500-miljoen-hotelklanten-gestolen-bij-hack-marriott-a2868375
  7. R. Picheta, 2019: “The most commonly hacked passwords, revealed” retrieved in February 2020 from: https://edition.cnn.com/2019/04/22/uk/most-common-passwords-scli-gbr-intl/index.html
  8. N. Lord, 2018: “Uncovering password habits: are users’ password security habits improving?” retrieved in February 2020 from: https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic
  9. S. Machkovech, 2015: “Hacked French network exposed its own passwords during TV interview” retrieved in February 2020 from: https://arstechnica.com/information-technology/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/
  10. L. Vaas, 2018: “Hawaii emergency management stuck a password on a sticky note” retrieved in February 2020 from: https://nakedsecurity.sophos.com/2018/01/18/yes-hawaii-emergency-management-stuck-a-password-on-a-sticky-note/
  11. HNN Staff, 2018: “Yes, that is a password stuck to a screen at Hawaii’s emergency management HQ” retrieved in February 2020 from: https://www.hawaiinewsnow.com/story/37279882/yes-that-is-a-password-stuck-to-a-screen-at-hawaiis-emergency-management-hq/
  12. National Institute of Standards in Technology (NIST), 2016: “Back to basics: Multi-factor authentication (MFA)”, retrieved in February 2020 from: https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication
  13. Microsoft Azure, 2019: “Hoe werkt het? Azure Multi-Factor Authentication”, retrieved in February 2020 from: https://docs.microsoft.com/nl-nl/azure/active-directory/authentication/concept-mfa-howitworks
  14. ING, 2018: “How does two-step authentication work?”, retrieved in February 2020 from: https://www.ing.be/en/business/my-business/secure-business/2-steps-authentification 
  15. W. J. Heaven,  2019: “ Multi-Factor Authentication: A waste of your time?”, retrieved in February 2020 from:  https://www.hbkcpa.com/multi-factor-authentications-a-waste-of-your-time/
  16. K. Bissel, C. Froelich, P. Gillen, R. Wainwright, R. Kariger, J. Alkove, A. Dagostino, P. Foster, P. Adams, G. de Moura & T. Oerting, 2019: “The Cybersecurity Guide for Leaders in Today’s Digital World”. Retrieved in February 2020, from: http://www3.weforum.org/docs/WEF_Cybersecurity_Guide_for_Leaders.pdf
  17. P. Grec0, 2019: “A Practical Approach to Implementing Zero Trust Security” Retrieved in February 2020 from: https://www.productivecorp.com/blog/implementation-and-optimization/a-practical-approach-to-implementing-zero-trust-security/
  18. V. Bozicevic, 2019: “How to Implement Zero Trust Security” Retrieved in February 2020 from: https://www.globaldots.com/blog/how-to-implement-zero-trust-security
  19. K. Wang, 2018: “Contextual access management, what does it actually mean?” Retrieved in February 2020 from: https://www.okta.com/blog/2018/05/contextual-access-management-what-does-it-actually-mean/
  20. Image 1 – K. Cala, 2015: “Contraseña Segura y Robusta” Retrieved in February 2020 from: https://twitter.com/vtacpayroll/status/1074751651007905792

Artikel door Alex Muller