web analytics

Too Much ‘Trust,’ Not Enough ‘Verify’ – Source: www.darkreading.com

too-much-‘trust,’-not-enough-‘verify’-–-source:-wwwdarkreading.com
Rate this post

Source: www.darkreading.com – Author: Rob Sloan, Sam Curry

Cube with Zero Trust written on two visible sides; dark blue background with squares floating around

Source: Alexander Yakimov via Alamy Stock Photo

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

The User Example of Trust Without Ongoing Verification

It’s easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another “career limiting disaster.”

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

The Costly Consequences of Insufficient Verification

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union’s upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

The Path Forward: Adopt a Zero-Trust Approach

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn’t mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

About the Authors

Rob Sloan

Vice President, Cybersecurity Advocacy, Zscaler

Rob Sloan is vice president, cybersecurity advocacy, for Zscalera. He is a cybersecurity, risk, and technology expert with broad business skills and management responsibility. Prior to joining Zscaler, he served as research director at Dow Jones and The Wall Street Journal, where he led a research team focused on cybersecurity, AI, and sustainability issues, and wrote a weekly column to help board directors navigate cyber-risk. Before the WSJ, Rob worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating, and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob began his career working for the UK government in defense and foreign affairs, looking at some of the earliest state sponsored cyberattacks against the government, military, and critical national infrastructure networks.

Sam Curry

VP & CISO in Residence, Zscaler

Sam Curry is VP and chief information security officer (CISO) in residence at Zscaler. He began his career in signals and cryptanalysis and was the first employee at Signal 9 Solutions, a small start-up that invented the personal firewall, executed the first commercial implementation of Blowfish, and devised early symmetric key VPN technology. Sam served as chief security architect there and as head of product for McAfee before holding several positions at RSA (the Security Division of EMC), including head of RSA labs at MIT and chief technology officer (CTO) and Distinguished Engineer for EMC. After seven years with RSA, Curry acted as SVP and CISO at Microstrategy, CSO and CTO for Arbor Networks, and as chief security officer (CSO) for Cyberreason. Sam holds 17 active patents in cybersecurity and a master’s degree in counterterrorism, and sits on two boards of directors. In addition, he teaches courses at Harvard (online), Wentworth Technology Institute, and Nichols College. He is also a Fellow at the National Security Institute at George Mason University.

Original Post URL: https://www.darkreading.com/cyberattacks-data-breaches/too-much-trust-not-enough-verify

Category & Tags: –

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos