By Marc Lueck, CISO EMEA, Zscaler
The modern workplace has seen a marked increase in the numbers of users, devices, and applications existing outside of the traditional controlled network. The business emphasis on the corporate network has decreased as the reliance on the internet as the connective tissue for businesses has increased. This has been particularly apparent during the course of the COVID-19 pandemic, in which remote working has become the new normal, with the consequence of significantly expanding the attack surface for cybercriminals to target users and remote access VPNs.
Indeed, research into the state of corporate attack surfaces, based on global data sourced between February 2020 and April 2021, has revealed that as businesses began offering more remote work options, their attack surfaces grew concurrently with their dispersed workforce. The report found EMEA leading North and South America and APAC regions in terms of overall exposure, with an average of 283 exposed servers and 52 exposed cloud instances.
Enter Zero Trust
Of all the cybersecurity trends and buzzwords of the last few years, the concept of Zero Trust arguably has the potential to have the biggest impact on the cyber landscape. Essentially, Zero Trust hinges on the idea that nothing, whether inside the network or without, should be implicitly trusted. Everything is guilty until proven innocent, and everything needs to be inspected to prove its level of innocence.
A key tenet for Zero Trust is that businesses should be reducing what they present to the Internet. Take, for example, an expenses logging system for a large business. The team creates a login portal on the Internet and, of course, only those with correct logins should be able to get through that portal. However, that portal is presented and accessible to everyone on the Internet, not just those who might credibly want to use it.
Even a VPN used to access applications on the internal network is still presenting an interface open to attack. VPN attacks are a serious issue, and in October 2020, the NSA released a list of the top 25 security vulnerabilities that Chinese hackers are exploiting. VPNs and RDPs comprised half that list.
By shrinking the exposure of an enterprise on the Internet, businesses can reduce their attack surface, and by inspecting all traffic and enforcing access control before application access, they should be much better protected.
If we create a hypothetical world where every business has adopted a Zero Trust approach, exposing very little to the Internet, where then do the cybercriminals target? Whilst businesses may not be exposed, what always will be is the infrastructure supporting the Internet: routers, DNS infrastructure and so on. We’ve seen it before with the DNS attacks in Switzerland in 2019, and we’ll see it more frequently in a Zero Trust world.
Then there’s one element that no technology can really solve: the users. Even Zero Trust can’t protect against someone willingly giving the keys to the kingdom, and attacks like phishing and spear phishing that compromise a user and their machine, thereby obtaining some level of trust, will continue. In fact, obtaining trust instead of just control may become the specific goal of these attacks. This could entail much lighter weight, targeted malware or even the use of commonly available and trusted applications instead of the heavy-lifting, multi-purpose malware used for ransomware and other prevalent attack vectors.
What’s important is that both these attack styles have a high barrier to entry, both in terms of skills and resources. Social engineering is a difficult skill to master and needs to operate at scale to be effective. What this ultimately boils down to is that those smaller cybercriminal operators – the one-man bands of cybercrime – will need to team up with others to survive. The financial scam organisations already have this scale and skill, so it seems only a matter of time before they repurpose this capability towards obtaining trust. Only these larger, better organised and possibly state-sponsored groups will be able to operate with some efficacy.
Although this seems to paint a negative picture of Zero Trust, this is anything from the truth. Zero Trust solves many of the problems we currently have and reduces enterprise risk significantly. By forcing many of the casual or broad-based attack vectors to a point where they are no longer financially viable, it will have done a massive good. But not everyone will take the plunge, and clearly this is a process that will take time, so it will also create an interesting dichotomy between those businesses that employ Zero Trust and those that do not. There’s an old joke ‘how fast do you have to be to outrun a bear?’, with the answer of course being ‘just faster than your friends’. Those businesses not taking a Zero Trust approach will be the slowest in the group, and will become the easy target of cybercriminals eking out the value in their current toolsets.
It’s an interesting conundrum, but with the push towards Zero Trust, cybersecurity is still making attacks more difficult, more time and human resource intensive, and we’ll still be making the world a better place. Just don’t count cybercrime out just yet.