A zero-trust model could prevent the majority of security breaches

zero trust and security breaches

zero trust model could have prevented the majority of security breaches. Consider the well-publicised data leak at American retailer Target in 2013. Using stolen credentials, the attackers got access to Target’s gateway and subsequently exploited multiple flaws to get access to the customer service database.

Multi-factor authentication’s zero trust concept could have prevented stolen credentials from being utilised in the first place. Even if the attacker had gained access, correctly implementing least privilege access could have prevented the attacker from accessing the database or planting malware (which was also part of the attack). Furthermore, security-oriented machine learning techniques may have detected the anomalous activity and stopped the attempt.

What about putting your faith in the IT team?

Although the zero trust approach is most commonly applied to IT systems, it’s crucial to remember that people can damage an organisation’s security in a variety of ways without directly attacking an IT system. The security of an organisation can be jeopardised by something as simple as a phone call to the service desk.

If a user calls an organisation’s service desk for help with a problem like a password reset, the technician will almost certainly try to verify the user’s identity. This could include posing a security question to the user, such as their employment ID number. The difficulty is that an attacker can obtain this information in a variety of ways and use it to impersonate a legitimate user and gain access to their account via a forged password reset.

The support desk agent may potentially be a security risk to the company. After all, there’s usually nothing prohibiting a technician from resetting a user’s password (without receiving a password reset request) and then gaining access to the user’s account using the reset password.

The helpdesk professional could, for example, validate the user’s identity by delivering a single-use code to the user’s mobile device or by using a third-party authentication service like Okta Verify, PingID, Duo Security, or Symantec VIP. Simultaneously, this solution can prevent the technician from resetting the user’s password until the user has authenticated their identity, ensuring that the user has requested the password reset rather than the technician turning rogue.

Although zero trust principles must be implemented in IT systems, an organization’s security is ultimately in the hands of its users and IT employees.

Consider implementing the zero-trust concept in your systems if you haven’t already. It can, at best, enhance your security posture and safeguard your critical data. In the end, it’s about giving your employees, users, and customers the peace of mind they require

Share This Post:

Facebook
Twitter
LinkedIn
Pinterest
Email
WhatsApp
Picture of Arjun Gopireddy
Arjun Gopireddy
Arjun is an Information Security Specialist, and his main role is to support our clients by identifying and advising on mitigating information security risks. Holding a Master’s degree in Cyber Security (UK) and Engineering Management (USA) his knowledge and skills are shared with our clients. Outside of work Arjun likes watching movies, travelling, playing cricket, football and doing adventurous things such as sky diving. He is the biggest fan of Yuvraj Singh – a former Indian international cricketer.
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue