The recent Gartner Security and Risk Management Summit held in Dubai, UAE revealed that the Middle East and North Africa region has the highest number of reported breaches in the world. In 2018, more than 36,000 incidents were reported from this region, the highest in the world. Along with this statistic, Gartner presentations revealed that the region also has the highest mean time to identify the breach. At 260 days, it is the highest in the world.
What are the weaknesses in organizations that allow such a high number of incidents? Post-incident analysis usually reveals that prevalence and usage of weak passwords amongst end-users, and especially privileged end users like administrators, is the root cause for such breaches. Most incidents that happen are not necessarily of an advanced nature, and mostly stem when threat actors or hackers are able to crack weak passwords and gain entry into an organization’s network using compromised credentials of end-users and administrators.
Gaining entry into an organization’s network through the credentials of an actual end-user or privileged end-user like an administrator remains the easiest entry strategy for threat actors. Forrester Research points out that 80% of security breaches result from privileged access abuse. In the past, it used to be assumed that access granted through a login including a user name and password was sufficient to guarantee the authenticity of the user. With the increasing sophistication of threat actors to brute force passwords to gain access, especially weak and repeated passwords, this assumption is no longer valid and has spawned the creation of the Zero Trust model.
The Zero Trust model, first suggested by Forrester Research and National Institute of Standards and Technology in 2010, reinforces the modern belief that login identities can no longer be trusted, inside or outside the organization, especially with the expanding threat surface. The Zero Trust model today covers the following elements with the objective of not implicitly trusting any access for any user without verification.
Networks: Verify access to segment, isolate, and control the network.
Data: Control access to secure and manage data, develop classification schemes, encrypt data at rest and in transit.
Workloads: Verify and control access to the application stack.
Devices: Verify and control access of every device on the network.
Identities: Limit the access of users and secure users.
By limiting and securing privileged access to the above, the organization is moving away from a perimeter-based approach to a Zero Trust approach. The Zero Trust approach boosts prevention, detection, response, and compliance towards standards such as HIPAA, FISMA, PCI, and others. Moreover, it can be extended to the cloud, mobility, Big Data lakes, DevOps, containers, microservices, and others.
Organizations begin their Zero Trust journey with the following initiatives:
#1 Vault all privileged credentials
Access to the credentials of privileged users and privileged resources need to be secured and controlled, raising the level of security management control. Rigorous multi-factor authentication also needs to be enabled and added around privileged users and privileged resources.
#2 Consolidate identities and introduce the least privilege
All identities need to be consolidated to eliminate redundant ones at the same time limiting privileges to the minimum required to get the work done. Along with limiting privileges, workflows need to be limited in a similar manner to restrict lateral user movements.
#3 Hardening the environment
Once the above two initiatives have been implemented, the organization can move to the next level of compliance. This can include the introduction of air gapping around hardware and resources, usage of host-based intrusion detection systems, and development of advanced behavioral analytics.
By going through these steps, organizations can ensure they are no longer vulnerable in the area of security breaches and password theft.