One of the most psychologically challenging aspects for end users tends to be that implicitly trusting entities on the Internet is a bad idea. I am going to break down the key concepts in order to demystify the concept of zero-trust security and provide practical applications for it.

What is Zero-Trust in Real-World Terms?

In terms of the Internet as a whole, we will refer to the two different environments as the old way and a zero-trust environment.

The old way requires implicit trust.

When you step outside your house and drive to work, there is a lot of implicit trust exercised. You may trust that each person you encounter will yield to traffic signs, keep a respectful distance, and not run you off the road. Or, you may implicitly trust in other areas entirely. We’re all different, which adds to the complexity.

Let’s go with another example.

The old way is leaving every door and window in your house unlocked because you trust that nobody is going to enter your house without your permission.

Zero trust in the driving example means that you are much more defensive of a driver. You don’t leave a stop sign until you verify no one is coming. You don’t merge lanes until you verify no one is close enough to be a collision risk. In the example of the house, you would lock all doors and windows, and only allow those you have specifically given permission to into your house.

Don’t trust, but verify.

You have no doubt heard that phrase spoken differently in the past. That’s because the real world and the Internet are different in some big ways. It’s that difference that social engineers and scammers depend on in order to accomplish their nefarious goals.

In face-to-face communication, we have collectively had years of experience with grifters and tricksters; so, they changed up the tactics. Whether it’s by phishing, hacking, or some other clever means, it is likely that they will eventually enter your network. Once they do, it’s up to you what happens next.

Let me preface this next example by saying that this part of the article will shift more towards those responsible for securing their home or work networks. If this is something you would like to accomplish, but feel it’s a lot to take on, reach out to me and we can take an inventory and I will discuss some of the best ways to apply zero-trust.

Compromised in the Old Way

So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.

Using the computer they have accessed as a remote VPN server, they will do a few possible things, depending on the sophistication of the attacker. They may first begin scanning the network, using a network mapping tool (like nmap) in order to see what other devices are in the local subnet. They may use alternative methods to discover, but this is the information gathering phase.

Let’s say that while they were scanning the device, they were able to snag the hash of the administrator password. Now they can craft packets that allow them to hop to other similar devices in the network and try that administrator password. If that gives them access, they can continue to hop from device to device, possibly even exfiltrating data as they go.

The network is also flat, so there are wireless access points, servers, routers, etc that are all easily traversable without any significant barriers in place.

From here, the attacker can then begin exploiting servers in order to gain administrative access to either exfiltrate more data, or to ultimately install ransomware and lock all of your crucial data down. The ransomware that they install may also have worming capabilities, which would allow it to spread throughout the entire network using those compromised entry points and administrator passwords together to reduce the entire environment to expensive paperweights.

Compromised, with Zero Trust

So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.

This time, however, you have micro-segmented the network. The only devices the attacker can see are local workstations. Those workstations are now configured to ignore any peer to peer communication from fellow computers; so, they don’t respond when the attacker on the compromised device attempts to access it.

The attacker finds addresses to servers and then tries to connect to them, but the networks have implicit deny configured into the firewall; so, any communication that isn’t absolutely mission critical is automatically denied.

Most attackers want the low-hanging fruit. In this example, the attacker would likely move on to an easier to compromise target.

Conclusion

In this article, I have covered how trust in face-to-face communication differs from trust across the Internet, real-world examples of implicit trust and zero trust, and then performed a deep dive into a network with implicit trust vs a network with zero-trust.

With this knowledge, I hope to raise awareness as to how important a zero-trust environment is in your home and office networks.

The post Zero-Trust Models for Internet Security appeared first on Bag of Tricks.

I feel it appropriate to begin this article with a story I recently encountered.

A lady at my work told me that her daughter-in-law got a text message claiming to be from myself. This text then went on to ask for the user’s personal account credentials. The daughter-in-law gave the email, but didn’t give the password (which was a good thing, as you should never give your password on anyone).

The imposter then asked for the user’s six-digit verification code. She attempted to give it, but it had expired so the imposter wasn’t able to gain access to the account.

The main issue with this situation was that the imposter already knew the username and password combination, and only needed the six-digit 2FA to get in.

Why did they already know it? Well, there are a handful of reasons, but I already clarified that it was password re-use.

At the time of writing, we are on the verge of finally integrating password-less authentication; so, hopefully this notion gets to be marked entirely obsolete in 2023 – but it’s been just around the corner for quite a few years now. And, no, I’m not talking about 2023 being the year of the Linux Desktop.

What I’m talking about is password re-use. No matter how good that one password is. Once someone has it and your email combination, they’re free to attempt to log in anywhere. This is called “credential stuffing”.

I know, I know. Passwords are used practically everywhere and most websites want a certain number of characters, with upper-case, lower-case, and symbols. What else are you gonna do?

The solution is simple: use a password manager.

What is a password manager?

A password manager is a program or service which allows you to remember one complex password to a vault which stores other even more complex passwords that can be randomly generated.

Which password manager should I use?

There are several options of password managers to use and no one option. The criteria for most users, however, is simple: it should be easy to use and also more secure than a Post-It note or password notebook.

NOTE: Due to the recent data breaches at LastPass, I have had to remove them as a viable option; so, for now, I only have the one.

BitWarden

PROS:

• Online/Offline Components
• Industry Standard “Zero-Knowledge” Encryption
• One-Time Password Component
• Random Username/Password Generation

CONS:

• Read-Only Offline Mode

BitWarden is easily my top recommendation for people whether they’re tech-savvy or not. The interface is intuitive and it integrates flawlessly with the browser; though, it also has apps for every major device on the market. If you pay for the Premium version, it can even insert time-based one-time password codes directly into the prompts with no extra work on your part.

The main draw for Bitwarden is that it is accessible anywhere you have access to the Internet with a master password (and second form of authentication, which I highly recommend setting up). From there, you can access your password vault that is otherwise fully encrypted on both your system and theirs.

I did list a con of having the read-only offline mode, and I dug into it deeper to see what that would entail. Bitwarden has to be able to sync to the remote server in order to make changes, but as long as you had an Internet connection to authenticate, you can access it without Internet access (they refer to this as locked versus logged out). You can adjust the logout time in settings, but it’s pretty generous by default.

Another component that made me happy is the random generation of usernames, as well as passwords. We are often bad about giving away too much information in a username, so having one that is random helps protect us in multiple ways, but mainly credential stuffing attacks.

Other Considerations

• 1Password
• Dashlane
• NordPass

Conclusion

Regardless of which password manager you choose, the main goal is to make sure that you aren’t using the same username and password combination across multiple passwords. It doesn’t matter how secure your password is if it got exposed due to a database breach.

My sincerest hope is that you will consider destroying the skeleton key once and for all and protect yourself from one of the most easily avoidable attack scenarios.

The post The Skeleton Key, a.k.a. Password Re-Use appeared first on Bag of Tricks.