A zero trust model could have prevented the majority of security breaches. Consider the well-publicised data leak at American retailer Target in 2013. Using stolen credentials, the attackers got access to Target’s gateway and subsequently exploited multiple flaws to get access to the customer service database.
Multi-factor authentication’s zero trust concept could have prevented stolen credentials from being utilised in the first place. Even if the attacker had gained access, correctly implementing least privilege access could have prevented the attacker from accessing the database or planting malware (which was also part of the attack). Furthermore, security-oriented machine learning techniques may have detected the anomalous activity and stopped the attempt.
What about putting your faith in the IT team?
Although the zero trust approach is most commonly applied to IT systems, it’s crucial to remember that people can damage an organisation’s security in a variety of ways without directly attacking an IT system. The security of an organisation can be jeopardised by something as simple as a phone call to the service desk.
If a user calls an organisation’s service desk for help with a problem like a password reset, the technician will almost certainly try to verify the user’s identity. This could include posing a security question to the user, such as their employment ID number. The difficulty is that an attacker can obtain this information in a variety of ways and use it to impersonate a legitimate user and gain access to their account via a forged password reset.
The support desk agent may potentially be a security risk to the company. After all, there’s usually nothing prohibiting a technician from resetting a user’s password (without receiving a password reset request) and then gaining access to the user’s account using the reset password.
The helpdesk professional could, for example, validate the user’s identity by delivering a single-use code to the user’s mobile device or by using a third-party authentication service like Okta Verify, PingID, Duo Security, or Symantec VIP. Simultaneously, this solution can prevent the technician from resetting the user’s password until the user has authenticated their identity, ensuring that the user has requested the password reset rather than the technician turning rogue.
Although zero trust principles must be implemented in IT systems, an organization’s security is ultimately in the hands of its users and IT employees.
Consider implementing the zero-trust concept in your systems if you haven’t already. It can, at best, enhance your security posture and safeguard your critical data. In the end, it’s about giving your employees, users, and customers the peace of mind they require