How hackers bypass Zero Trust and what you can do about it
By Pete Nicoletti, Check Point Field CISO, Americas
Zero Trust, or as I like to call it, “Appropriate Trust,” is a proven model for strengthening your organization’s security posture. It accomplishes this with an identity-centric approach – forcing users to authenticate themselves before being granted access to data or applications. This effectively limits the amount of damage that could be caused by threat actors who try to infiltrate your company but can’t log in!
Why is Zero Trust so important?
Here are the top five reasons why security leaders must implement a Zero Trust model to strengthen the security posture of their companies.
1. Visibility. When you implement Zero Trust, you gain a complete overview of your users, devices, data, applications, and services within your corporate infrastructure. Having this comprehensive visibility across your resources not only enhances security, but also aids in long-term planning.
2. Threat monitoring. Managing a Zero Trust framework can present challenges without the appropriate tools. However, with the aid of SIEM (Security Information and Event Management), security orchestration, automation and response (SOAR), and network detection and response (NDR), organizations can proactively monitor security incidents and resolve them when they occur. This empowers organizations to swiftly remediate any cyber security threat.
3. End-user experience. IT security can be challenging for end users, particularly when it comes to managing multiple passwords for accessing different applications and data required for their work. A key aspect of the Zero Trust approach is implementing single sign-on (SSO) tools, which simplify password management. With SSO, users only need to authenticate just once to access all the resources they need, eliminating the hassle of multiple passwords.
4. Policy creation. In traditional security models, a siloed approach was used, where each security tool operated independently, leading to vulnerabilities when tools were misplaced or misconfigured. However, Zero Trust addresses this by enabling the creation of a universal policy that can be implemented consistently throughout the business.
5. Flexibility and speed. In business, technology is constantly changing. As a result, companies utilize new applications and move data around different locations. Before Zero Trust, businesses had to undertake the time-consuming task of manually creating security policies, which could potentially create a security vulnerability. However, Zero Trust has the advantage of centralizing the management of application and data security policies, allowing organizations to maintain robust security.
However, as beneficial as the Zero Trust model is, only 1% of companies have a mature Zero Trust program according to Gartner. The firm also estimates that by 2026, 10% of large enterprises will have a mature Zero Trust program up and running.
Although 10% seems relatively small, the change from 1% to 10% is still significant.
Moving to Zero Trust continues to be a top priority for security leaders. In Forrester’s 2023 security and risk planning report, Zero Trust security was listed among the top priorities for CISOs in 2023.
The challenges of Zero Trust
The journey is Zero Trust is not an easy one. This is reflected by fact that only 10% of companies are going to have a mature Zero Trust program in a few years. Why is moving to a Zero Trust model so challenging?
First, technical debt is a major obstacle that businesses face when implementing Zero Trust. From an outsider’s perspective, Zero Trust seems simple: Just authorize every user that connects to company resources. However, it’s more complicated than that. Organizations may be running on legacy applications that rely on older, unsupported operating systems, using hardcoded passwords embedded in the source code, or passwords that are simply incompatible with the technologies needed to implement Zero Trust.
Remote work is an additional challenge. In a traditional Zero Trust framework, every user and device is authenticated before accessing data or an application. However, with employees working remotely (while occasionally following the “Bring your own PC” model) and using SaaS services, a company’s data is beyond the perimeter and control. This problem is further compounded by Shadow IT, which occurs when companies can’t provide employees with every app or service needed. As a result, employees acquire the apps that they need on their own.
Finally, cyber security is extremely complex. Different teams or departments work in silos, making it more difficult to collaborate with each other or share information. This creates blind spots. And because data is located in multiple places, the organization becomes more vulnerable to threats. On the product side, companies rely on dozens of SaaS services and products, creating a complex, digital supply chain. However, it’s not always feasible to authenticate every link involved in the supply chain as there are many third parties and dynamic connections involved.
How hackers bypass Zero Trust
Keep in mind that Zero Trust has its limits. It’s good for blocking lateral movement and contains the consequences of an initial breach, but the initial breach is still a problem.
For example, a hacker was able to bypass Rockstar Games’ identity and authentication techniques via spear-phishing. The hacker claimed to masquerade as a company IT worker and convince an employee to share their login credentials.
In another example, the infamous breach of a well-known retailer was the result of hackers using stolen credentials to access the company’s gateway. The threat actors exploited various weak spots to gain access to the customer service database.
These examples portray the limitations of Zero Trust. Identity authentication works to an extent, but hackers can trick the user, or other parts of the verification process. While most organizations use some form of MFA to harden security, hackers bypass it by:
- Phishing to obtain account credentials.
- SIM swapping to steal 2FA codes.
- Tricking the company to change a phone number and email linked to the account.
Gartner predicts that by 2026, Zero Trust will fail to prevent more than half of all cyber attacks.
“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of Zero Trust architectures (ZTAs),” said Jeremy D’Hoinne, VP analyst, Gartner.
Nonetheless, Gartner still recommends that organizations implement Zero Trust to harden security for their most critical assets, as this is where the greatest return will occur.
Zero Trust requires a more advanced solution – one that provides superior authentication with the established identity. For example, MFA via text messages or emails can be intercepted by hackers. However, on the hardware side, FIDO2-compliant keys (e.g. YubiKeys) can’t be intercepted by hackers and can’t be stolen without physical access. And on the software side, FIDO2 is implemented with biometrics verification such as Face ID, Touch ID, or similar.
FIDO2 authentication works because it offers unique cryptographic logic credentials for each website. For example, you will receive a different security key when logging into example.info as opposed to logging into the real website at example.com. The only disadvantage to this is convenience, requiring users to undertake an additional security step rather than typing in their password.
Additional methods such as DNS filtering, bpostser security controlled by corporate policy, advanced AI based email security, database encryption, and multi-factor security keys and even additional authentication for access to critical data, can all help strengthen your Zero Trust security architecture. While not all of these are silver bullets against all attacks they will be the silver shotgun.
Some of these functions and tools may not be feasible for use in consumer facing products, but they still strengthen the security barrier and can help protect your most critical assets.
Moving to a Zero Trust model
Zero Trust provides a great number of benefits. It gives you more visibility over your assets, as well as verification of users accessing critical assets or data. It can also provide a better user experience by reducing the number of logins, as well as replacing a problematic VPN that always prompts for access, with a seamless and transparent process and far more secure process.
In a world where data and resources are outside the traditional perimeter, identity verification is becoming one of the most important security processes, especially as the digital supply chain gposts.
With all the pressures put on organizations today, it’s time for security leaders to recognize that now is the time to embrace a mature Zero Trust security model to mitigate the impact of the most damaging types of cyber attacks. By implementing effective solutions, companies can strengthen their security posture to withstand even the most advanced cyber attacks. However, companies must be aware of its limits and the challenges of implementation.
Contact Check Point or an authorized partner today to have our security engineers give you a free workshop to determine your current program, as well as detailed suggestions to get your “Appropriate Trust” program deployed and in place – protecting your corporation with minimal costs and efforts.
For more insights from Check Point Field CISO Pete Nicoletti, please see CyberTalk.org's past coverage. Lastly, subscribe to the CyberTalk.org newsletter for executive-level interviews, analyses, reports and more each week. Subscribe here.