One of the most psychologically challenging aspects for end users tends to be that implicitly trusting entities on the Internet is a bad idea. I am going to break down the key concepts in order to demystify the concept of zero-trust security and provide practical applications for it.
What is Zero-Trust in Real-World Terms?
In terms of the Internet as a whole, we will refer to the two different environments as the old way and a zero-trust environment.
The old way requires implicit trust.
When you step outside your house and drive to work, there is a lot of implicit trust exercised. You may trust that each person you encounter will yield to traffic signs, keep a respectful distance, and not run you off the road. Or, you may implicitly trust in other areas entirely. We’re all different, which adds to the complexity.
Let’s go with another example.
The old way is leaving every door and window in your house unlocked because you trust that nobody is going to enter your house without your permission.
Zero trust in the driving example means that you are much more defensive of a driver. You don’t leave a stop sign until you verify no one is coming. You don’t merge lanes until you verify no one is close enough to be a collision risk. In the example of the house, you would lock all doors and windows, and only allow those you have specifically given permission to into your house.
Don’t trust, but verify.
You have no doubt heard that phrase spoken differently in the past. That’s because the real world and the Internet are different in some big ways. It’s that difference that social engineers and scammers depend on in order to accomplish their nefarious goals.
In face-to-face communication, we have collectively had years of experience with grifters and tricksters; so, they changed up the tactics. Whether it’s by phishing, hacking, or some other clever means, it is likely that they will eventually enter your network. Once they do, it’s up to you what happens next.
Let me preface this next example by saying that this part of the article will shift more towards those responsible for securing their home or work networks. If this is something you would like to accomplish, but feel it’s a lot to take on, reach out to me and we can take an inventory and I will discuss some of the best ways to apply zero-trust.
Compromised in the Old Way
So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.
Using the computer they have accessed as a remote VPN server, they will do a few possible things, depending on the sophistication of the attacker. They may first begin scanning the network, using a network mapping tool (like nmap) in order to see what other devices are in the local subnet. They may use alternative methods to discover, but this is the information gathering phase.
Let’s say that while they were scanning the device, they were able to snag the hash of the administrator password. Now they can craft packets that allow them to hop to other similar devices in the network and try that administrator password. If that gives them access, they can continue to hop from device to device, possibly even exfiltrating data as they go.
The network is also flat, so there are wireless access points, servers, routers, etc that are all easily traversable without any significant barriers in place.
From here, the attacker can then begin exploiting servers in order to gain administrative access to either exfiltrate more data, or to ultimately install ransomware and lock all of your crucial data down. The ransomware that they install may also have worming capabilities, which would allow it to spread throughout the entire network using those compromised entry points and administrator passwords together to reduce the entire environment to expensive paperweights.
Compromised, with Zero Trust
So, it’s inevitably happened. Someone clicked that link to get a free gift card and ended up installing a remote access trojan on their computer. The hacker now has remote access to the computer network.
This time, however, you have micro-segmented the network. The only devices the attacker can see are local workstations. Those workstations are now configured to ignore any peer to peer communication from fellow computers; so, they don’t respond when the attacker on the compromised device attempts to access it.
The attacker finds addresses to servers and then tries to connect to them, but the networks have implicit deny configured into the firewall; so, any communication that isn’t absolutely mission critical is automatically denied.
Most attackers want the low-hanging fruit. In this example, the attacker would likely move on to an easier to compromise target.
Conclusion
In this article, I have covered how trust in face-to-face communication differs from trust across the Internet, real-world examples of implicit trust and zero trust, and then performed a deep dive into a network with implicit trust vs a network with zero-trust.
With this knowledge, I hope to raise awareness as to how important a zero-trust environment is in your home and office networks.