The work-from-home business model inspired by a global pandemic doesn’t appear to be changing any time soon. As such, now more than ever, organizations today need a new cybersecurity model that more-effectively adapts to the complexity of the modern environment; embraces the mobile workforce; and protects people, devices, apps, and data wherever they’re located.
Enter the Zero Trust Security model.
The Zero Trust Security model was created in 2010 by John Kindervag, who, at the time, was a principal analyst at Forrester Research. Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. No single specific technology is associated with Zero Trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.
Zero Trust Security is more important than ever, as the number of cyber attacks has exploded since February. Most cybersecurity experts cite the reasons being two-fold. First, attackers are using COVID-19 as bait to mislead employees and consumers; and second, the large number of professionals now working from home has increased the risk of removable media passing malware from home to office.
Consider the following data points:
- Since February, when the coronavirus pandemic started to grab hold of the United States, Deloitte’s Cyber Intelligence Centre has reported a spike in phishing attacks, malicious spam, and ransomware attacks that use COVID-19 to bait users.
- The FBI has reported a 400% increase in cyber attacks from what was being reported prior to the coronavirus pandemic.
- Ransomware attacks increased 148% from February to March alone, according to VMware Carbon Black.
These statistics not only make a strong case for Zero Trust Security, but also pretty much mandate it.
Traditional IT Networks vs Zero Trust Security IT Networks
Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is that once an attacker gains access to the network, they have free reign over everything inside.
The philosophy behind a Zero Trust network assumes that there are attackers both within and outside of the network, so no users, machines, or devices should be automatically trusted.
Had the National Security Agency (NSA) implemented a Zero Trust Security network prior to 2013, there’s a good chance no one would have ever heard about Edward Snowden. As a subcontractor for the NSA, Snowden had the appropriate credentials to access the network. However, without Zero Trust Security in place, once Snowden was granted access to the network, there was nothing to stop him from downloading top-secret material. Had the principles of Zero Trust been fully implemented, Snowden’s activities would have been more easily discovered, if not prevented outright.
Start with “Device Trust”
Earlier this year, Tony Kueh, vice president of product management at VMware, published on ThreatPost.com “A Practical Guide to Zero-Trust Security.” His playbook included five different pillars to implement when moving to a Zero Trust Security model. The first pillar he listed? Device Trust. (Keuh’s other four pillars were User Trust, Transport/Session Trust, Application Trust, and Data Trust.)
We agree that device trust isn’t a bad place to start, especially in light of recent reports that portable media – USB flash drives, external hard drives, smart phones, and similar devices – are the source of a growing number of cyber attacks. With the use of portable media on the rise as workers flip-flop from office-based to home-based environments, the threat associated with portable media is growing exponentially.
Regardless of whether your organization has implemented a Zero Trust framework, is considering such a framework, or the concept is still foreign to you, to ensure your organization isn’t brought down by a cyber attack whose origin is a portable media device, you must make the ports on your computers inaccessible. USB port locks, network module locks, LAN cable locks, and secure USB hubs for your attached USB devices are inexpensive devices that effectively thwart both malicious and negligent insiders.
With port locks costing as little as $4 each – and the average cost of an insider incident, according to the Ponemon Institute’s Cost of a Data Breach Study, now at $11.45 million – it just doesn’t make good business or financial sense to allow your computer and network ports to be accessible to anyone with a portable media device.
Zero Trust Security is more important than ever. Likewise, making your computer and network ports inaccessible is, too.