Business-related applications like those from Microsoft, Zoom, and DocuSign are most often impersonated in brand phishing attacks.

Criminals launching impersonation phishing attacks prefer to spoof business-related apps from Microsoft, Zoom, and DocuSign, researchers report in a new email security survey.

Enterprise applications are spoofed in 45% of impersonation phishing attacks, GreatHorn researchers say. Social media-related apps such as Facebook, LinkedIn, and Twitter are seen in 34% of these attacks, and consumer apps such as Amazon and PayPal are seen in 20%, they note.

Email security is the top priority for IT and security teams this year, they report, but only 9% of respondents are most worried about brand impersonation attacks. Most (22%) say their greatest concern is people impersonation attacks, in which fraudsters send emails pretending to come from executives, vendors, or human resources or finance teams. Other top concerns include payload attacks (21%) and wire transfer requests (14%). 

It’s worth noting that phishing campaigns rarely use one technique, researchers say. More common are multipronged attacks that may prompt an email recipient to click a link and/or download an attachment, all while pretending to be from a person or brand.

Access the full report here for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Interest in vaccines is driving all sorts of activity, reports say, from vaccine-specific phishing to growing bot traffic on healthcare sites.

With the global vaccination effort commanding headlines and media coverage on a daily basis, attackers have jumped on a variety of schemes to take advantage of people’s need to know more about the status of vaccines, including creating new phishing campaigns, scraping data from the websites used for scheduling vaccination appointments, and registering vaccine-related domains, security firms warned on Thursday. 

Vaccine-related phishing attacks are up 26% since October, often with fraudsters using a well-known brand, such as the Centers of Disease Control, as the apparent source of the e-mail, network-security firm Barracuda Networks states in a blog post. The number of dangerous domains registered that use the word “vaccine” increased by 29% over the past four months, according to security firm Check Point Software Technologies. 

Bot operators have also started targeting vaccine-related healthcare sites, with the amount of “bad bot” traffic rising nearly 50% between January and February, and a nearly 400% increase since October, website-protection firm Imperva stated in an analysis. The amount of traffic, along with increase in human traffic, runs the risk of causing outages, says Edward Roberts, application security strategist at Imperva.

“We have customers, who are going to be making vaccines available, concerned with the level of traffic,” he says. “The influx of human traffic plus the automation does have the potential to bring a website down.”

While Imperva’s analysis draws no firm conclusions about how the influx in traffic to healthcare and vaccination scheduling sites is related — if it is — to cybercrime, the other schemes are more transparent. 

The increase in vaccine-related phishing is merely the same cybercriminal groups using a new topical lure to get end users to click on links or run a malware-ladened attachment, Barracuda Networks states. Once compromised, the attackers either exploit the user in a business e-mail compromise or move laterally, seeking out other users and systems, the company says.

“Vaccine-related phishing emails impersonated a well-known brand or organization and included a link to a phishing website advertising early access to vaccines, offering vaccinations in exchange for a payment, or even impersonating health care professionals requesting personal information to check eligibility for a vaccine,” Barracuda Networks states in its analysis

Between the beginning of November and the end of February, Check Point’s research group collected more than 7,000 registrations of domains using the word vaccine. Only 294 of those domains, however, are considered dangerous, the company says. 

Often, the intent of attackers is signaled by their attempts to construct the infrastructure necessary for an attack, the firm states.

“One of the surest signs of imminent online scams is an increase in domain registrations,” Check Point states in its blog post. “This signals that scammers are preparing web content, which appears to be genuine in order to attract curious people, with the aim of stealing their credentials and account details, or stealthily installing malware on their PCs or devices.”

in 2019, Imperva blocked about a quarter of traffic as bad bot traffic, and about half that (13%) as good bots that may or may not be blocked. The remaining traffic (about 63%) represented the actual users, “human” traffic. 

Over the past months, the amount of human traffic and bot traffic has increased to medical and healthcare sites, Imperva’s Roberts says. 

“It varies when you are talking about different industries,” he says. “Within healthcare, pharmacies might be one group and hospitals another group that might be seeing different levels. We are certainly seeing an increase in automated traffic. There has been a lot more bot traffic overall.”

The degree to which the attacks are causing disruptions is unknown. While Imperva, for example, notes that vaccine websites in several states have crashed and pointed at bots as a potential cause, the company had no evidence of a link between the two issues. 

Even automated data collection bots that check the inventory at different locations, arguably a “good bot,” could be causing disruption if the sites are not robust enough. Imperva notes that such bots, along with bad bots that try to reserve vaccines, could disrupt the scheduling process. 

“Some helpful bots — developed with good intent — will be deployed as a way to scan appointment booking sites to keep citizens apprised of availability,” the company states in its blog post. “However, automated traffic congests the network’s bandwidth and will make it harder for legitimate users to access the system.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous.

Security researchers believe attacks exploiting four critical Microsoft Exchange Server vulnerabilities extend beyond the “limited and targeted” incidents reported by Microsoft this week when it issued patches for the zero-day flaws and urged enterprises to patch immediately.

Organizations first learned of the Exchange server zero-days on Tuesday when Microsoft released the fixes. It attributes the activity to a group called Hafnium “with high confidence.” Hafnium is believed to operate out of China and primarily targets organizations based in the United States, Microsoft reports.

As more security researchers track the activity, new details emerge about these active exploits, how they were found, and factors that drove the release of yesterday’s out-of-band patches. 

These attacks appear to have started as early as Jan. 6, 2021, report Volexity researchers who detected anomalous activity from two customers’ Microsoft Exchange servers that month. 

Volexity noticed a large amount of data sent to IP addresses it believed was not tied to actual users. Closer inspection revealed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access. They suspected the servers might be backdoored and began an investigation, which led to uncovering the zero-day exploit.

“We did a lot of analysis on the system initially to make sure it wasn’t a backdoor,” says Volexity founder and president Steven Adair. By early February, the team had determined what was going on and recreated the exploit themselves. Over the course of incident response efforts, researchers found the attacker had chained a server-side request forgery (SSRF) vulnerability with another that enables remote code execution (RCE) on the targeted Exchange servers. 

Volexity reported their findings to Microsoft and began to work with them. But things escalated in late February, when researchers noticed multiple instances of RCE. The attackers were using an exploit that would allow them to write Web shells to disk. In all cases of RCE, Volexity saw the attacker writing Web shells to disk and conducting operations to dump credentials, add user accounts, steal copies of Active Directory databases, and move laterally to other systems.

“We saw that happen very noisily in many different places over the weekend,” says Adair, noting this pushed up the timeline of deploying a patch for the vulnerability. “We didn’t see a lot of RCE until just recently, and they went pretty wild.” 

Up until this point, most of what the researchers saw was “low and slow” activity. Much of this involved subtle email theft; what seemed to be legitimate espionage operations, Adair says. Attackers targeted the emails of very specific people, though it’s unclear what they were after. There’s nothing about the activity that would have trigged an endpoint security tool, he adds.

It’s unclear what caused the attackers to become more aggressive and change their tactics at this time. Microsoft has linked the activity to a single group; however, Adair isn’t convinced this isn’t the work of multiple threat actors. “It’s clearly multiple people with different strategies operating,” he says. 

John Hammond, senior security researcher at Huntress Labs, has also noticed the noisy activity. The Huntress team has seen the attackers use Windows command-line tools, add and/or delete admins from the “Exchange Organization administrators” group, and capture credentials or hashes stored within process memory.

“This attack has been a series of exploiting recent CVEs and using loud, overt tradecraft, which is surprising,” he says. “But considering they have sprayed this all over the Internet, they clearly don’t care about being stealthy.”

Who Is Vulnerable? Who Is Under Attack?

While Microsoft describes this activity as “limited and targeted,” Hammond reports indicators that this is now evolving into a larger-scale “spray and pray” campaign. Attackers seem to be scanning the Web to find vulnerable endpoints, he says. 

Huntress researchers have checked more than 2,000 Exchange servers and found roughly 400 vulnerable; another 100 are “potentially vulnerable,” he says.

They report nearly 200 organizations have been compromised and more than 350 Web shells. He notes some victims may have more than one Web shell, indicating automated deployment or uncoordinated actors.

Affected companies include small hotels, kitchen appliance manufacturer, ice cream company, senior citizen communities, and other mid-market businesses, Huntress Labs researchers write in a Reddit thread. Their data shows attackers targeted city and county governments, healthcare providers, banks and financial institutions, and residential electricity providers.

Meanwhile, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive calling for civilian federal agencies with on-premises Microsoft Exchange Servers to either update their software with newly released Microsoft patches or take the products offline until they can patch them.

Why Exchange Server Is A Hot Target

The vulnerabilities patched this week should be a priority. Every organization has to have email, and Microsoft Exchange is broadly used. These servers are typically publicly accessible on the open Web, Hammond says, and they can be exploited remotely. Once they gain a foothold, the attackers can expand their access to cause more damage throughout the target environment. 

“They’re really critical components to an organization,” Adair says of Exchange servers. An email server has to sit on the Internet, he says, which increases the risk of an attacker finding and targeting it. 

Even organizations with nothing else exposed to the Internet will still have an email server online – unless of course they use a cloud-based email service. For many, Exchange server is essential. It always has to be on, and it could give a successful attacker access to user passwords, domain accounts, and administrator accounts. A compromise, even if it only allowed an attacker to read email, could be “devastatingly bad.” 

“Any vector is appealing to an attacker, but the Exchange server is a particularly critical one, and for some organizations may be the only avenue,” Adair adds. 

How to know if you’ve been compromised? Unfamiliar activity in Web server logs connecting to the attackers’ implanted Web shells should raise a red flag, says Hammond. A change in user permissions or administrative users may also raise suspicion and prompt a closer look. 

“The most effective means to track down this activity is by externally validating the vulnerability, looking for these indicators of compromise, and monitoring network activity on your servers,” he adds. Hammond advises organizations to not only patch immediately, but to actively hunt for the presence of these webshells and other indicators of compromise.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

Internal research and external bug-bounty programs combined to discover the vast majority of reported security issues in the company’s software.

For the second year in a row, the vast majority of vulnerabilities — 92% — found in Intel’s products came from the company’s security investments, specifically internal research efforts and external bug bounties, the company stated in a new report, published today. 

Of the 231 vulnerabilities reported in Intel products in 2020, 109 issues (47%) were found by Intel employees, while 105 (45%) were reported by external researchers participating in a bug-bounty program, according to the company’s “2020 Product Security” report. While the company did not detail how much it invested in the different programs, Intel did say the company paid out an average of $800,000 a year for bug bounties.

The company plans to continue its multiprong approach to security, says Jerry Bryant, director of security communication in the Intel Platform Assurance and Security (PAS) group.

“Security isn’t a one-time investment thing,” he says. “You have to think about it more broadly from good security development practices, baking that into the mindset across your company, investing in vulnerability management processes and the ongoing security research into your products, both prerelease and shipping.” 

The report highlights the growing importance of bug-bounty programs for application and software developers. Not even five years ago, many companies continued to debate the efficacy of bug-bounty programs, but most have come to value their relationships with external researchers. 

Intel started its own bug-bounty program in 2018, when the company also launched its Product Assurance and Security group. The effort has paid off. While about the same number of vulnerabilities were disclosed in the past two years through internal programs and external bug bounties, 2020 had a third more vulnerabilities reported through the bug-bounty program — 105, versus 70 in 2019. 

External researchers typically focused on software drivers, as opposed to looking for the more complex firmware or hardware vulnerabilities that tend of have more impact for the processing, networking, and graphics platforms at the heart of Intel’s business. The company’s internal researchers found 69% of firmware-related security issues and 57% of hardware issues, the report stated.

“[T]he bulk of externally found issues were in software consisting mainly of software utilities and software drivers for graphics, networking, and Bluetooth components,” Intel stated in the report. “While these are important issues to address, our product firmware forms the basis of trust in our platforms and the data shows this is the primary focus of our internal security research.”

Only 17 vulnerabilities were reported by researchers not with Intel or part of a bug-bounty program. Those researchers include Intel partners, customers, and organizations that could not seek bounty payments, the company said. 

The most vulnerabilities, 93, occurred in drivers and other software components, while 66 occurred in the firmware, and 58 affected a combination of firmware and software. The smallest number of vulnerabilities, 14, affected hardware, such as processors. Hardware vulnerabilities, such as the Spectre and Meltdown design flaws caused by overlooked issues in the branching speculative execution, are very hard to patch or mitigate after the product has been produced.

Overall, graphics components accounted for the largest portion of vulnerabilities, 22, with nearly half ranking as high severity. The most critical vulnerabilities occurred in the Intel Converged Security and Management Engine (CSME), which forms the basis of any Intel-based computing platform’s root of trust, isolating its functions from the central processing unit (CPU), firmware or BIOS, and the operating system. 

In total, Intel platforms and software had six critical, 80 high, 131 medium, and 14 low-severity vulnerabilities in 2020. Intel found two of the critical and slightly more than half of the highly rated vulnerabilities, the report stated.

Intel plans to continue to invest in security, but the company did not have specific budget targets for its programs. Considering the increase in the number of vulnerabilities reported through bug bounties, the company may need to plan for rising external payments to researchers. 

“We don’t think of it in terms of budget but in terms of more capability — whatever we need to scale to,” Bryant says. “The Intel product assurance and security group is focused on things like SDL, offensive security research, vulnerability management. Things like that. Budget is not part of the report because it moves.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

The proposed National Cyber Response Network would link federal agencies, companies, and local governments, allowing collaboration during a cyberattack.

Creating plausible scenarios of cyberattacks launched by nations such as China or Iran, or by domestic terrorists and hacktivists, a policy group has concluded that too many roadblocks hinder the effective response to a major attack on US government agencies or private industry. 

In a report published last week, the New York Cyber Task Force (NYCTF) — a group of policy makers, private industry, and consultants — recommended that the United States create a National Cyber Response Network, linking together existing government and industry groups into collaborative network that could speed response to any attack. The task force, sponsored by Columbia University’s School of International and Public Affairs (SIPA), brings together government cyber experts, policymakers, and private industry professionals to address the national cybersecurity challenges that the United States will face in the future.

The group concluded that the US is not prepared to effectively respond to a national cyber crisis, says Gregory Rattray, the executive director of the NYCTF and co-founder and partner at cyber consultancy Next Peak.

“We need to make ourselves more resilient,” he says. “We know, in terms of policy, that we have to break down a lot of barriers for the private sector to work with the government, and both sides need to really invest in cyber in a serious way.”

The report notes that interconnected devices and machine learning are becoming pervasive, with broadband Internet delivered from space, next-generation cellular networks, and artificial intelligence all being integrated into society’s technological fabric. In a previous study published by the group, they focused on technologies and policies that could benefit cyber defenders. 

The latest report, published on Feb. 26, outlines the challenges that remain, created four scenarios of possible disruptive attacks, and outlined five recommendations, including the creation of the National Cyber Response Network (NCRN) managed by an agency that will be designated by the cabinet-level National Cyber Director. 

A number of recent attacks underscore the need for such an effort, from the massive supply chain compromise involving SolarWinds software to the relatively unsophisticated water-treatment plant hack, says Rattray.

“If we are going to withstand a cyberattack, we are going to have to invest an order of magnitude more in all the things that are necessary to be able to respond as a nation — both private sector and public — when an adversary unleashes what is clearly technically possible,” he says. “If the Russians sent a disruptive command using the access that they had through the SolarWinds software, stuff would have crumbled all over the place.”

The New York Cyber Task Force created four scenarios and created exercises to test the potential responses. The scenarios included Iran attacking local critical infrastructure to increase pressure on US policymakers, China hobbling technology industries, and domestic protestors using disruptive attacks. An important contribution of the NYCTF was testing some of the core recommendations of the Cyberspace Solarium Commission, particularly those that focused on public-private collaboration. 

“The fact that the task force’s rigorous process validated those recommendations only further reinforces the critical importance of improving how the US government works with the private sector on shared cyber threats,” Erica Borghard, senior fellow with the New American Engagement Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, said in a statement issued with the report. “It also demonstrates the urgency of nominating a National Cyber Director and empowering that position to be the focal point within the Federal government for collaboration with the private sector.”

The United States also needs to take a more aggressive approach to undermining the capabilities of attackers before those capabilities are used in an attack, Rattray says. The ability of adversaries to attack the national and commercial infrastructures without resistance needs to change, he says. 

“The Solarium Commission, if you read their recommendations on the offensive side of things, they get it right,” he says. “We need to use our ability to move outside of our own cyberspace to make it hard to attack us. We need to disrupt the setup and execution of an adversary’s ability to put us at risk. That is different than proactively attacking others.”

The report assumes a slow international escalation of tensions in cyberspace. For companies hoping that nations will develop some international treaty setting norms for cyberspace, it’s time to face reality, Rattray says.

“If you are a defender, you have to assume that norms are not going to save you,” he says. “That, if the US irritates an adversary, and you are a US company … some adversaries might come after you as a way of forcing the hand of the United States.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Recommended Reading:

More Insights

Microsoft announces support for data loss prevention in Google Chrome, co-authoring of protected files, and more at Ignite 2021.

Microsoft today debuted several security and compliance updates as part of its Ignite 2021 conference, including the extension of data loss prevention (DLP) to the Chrome browser and on-premises files, the ability to co-author protected documents, and the extension of Azure Purview.

During last year’s Ignite conference, Microsoft extended its data loss prevention capabilities to Microsoft Cloud App Security, bringing DLP policy-based inspection to cloud apps including Dropbox, Box, Google Drive, Webex, OneDrive, SharePoint, and others. In November 2020, its Endpoint DLP tool became generally available. 

Now, DLP capabilities will be available through a Chrome extension called DLP and Insider Risk Management. 

This extension, now available in preview, brings DLP and Insider Risk Management into the Chrome browser of onboarded endpoint devices. Admins will be able to create custom DLP policies for Chrome to ensure data is properly handled and isn’t accidentally disclosed. With its “audit mode,” for example, they can record policy violations without affecting users’ activity. 

In a blog post, Microsoft notes that users with the extension see an alert when they take risky actions with sensitive information, as well as policy advice and guidance to remediate them. This extension is meant to enable a more granular level of data protection. In the admin center, admins can set the policy and can turn it on and off in the Microsoft 365 compliance center.

While many businesses are moving operations to the cloud, many continue to have a significant data presence on-premises. A key issue is much of this data hasn’t been classified or protected, making it tough for IT and security teams to determine what it is and how it should be secured.

Microsoft’s on-premises DLP aims to give businesses more visibility into this data and create a framework to help manage and protect it. This capability uses DLP and Microsoft Information Protection policies to find sensitive data and the unknown repositories holding sensitive data.

Also available in preview is the ability to co-author documents secured with Microsoft Information Protection, a tool used to prevent data loss across Microsoft 365, on-premises, third-party SaaS apps. 

“Collaboration and productivity are critical to getting work done, but you need to ensure the data remains safe wherever it is,” says Alym Rayani, general manager for Microsoft Compliance. With more people working remotely, protecting data where it resides has become a top priority.

Employees previously had to choose between encrypting sensitive content and collaborating on it, as only one person could edit encrypted content at a time — everyone else was locked out, and AutoSave was disabled to preserve encryption. Now, multiple people can work on a Word, Excel, or PowerPoint file while maintaining the sensitivity labeling and document protection.

Rayani notes this capability works across devices and will work automatically. Employees must choose to protect the document by selecting an encryption policy and sensitive data labeling policies, which are already built into Microsoft 365 applications.

“What many organizations are realizing is, they can’t just protect against what we call outside-in threats,” he says of the growing reliance on cloud-based applications and the prevalence of remote work. Organizations are adapting to a new reality in which they store data in new and different ways, which creates security and compliance challenges for them along the way. “They also have to think about how they protect from the inside out.” 

Microsoft today announced it’s expanding the ability of Azure Purview, a service announced last December that was built to map and control business data wherever it resides. It’s integrated with Microsoft Information Protection, meaning admins can apply the same sensitivity labels defined in Microsoft 365 compliance center to information in Azure.

Now, Azure Purview will be able to scan and classify data to other platforms including AWS S3, SAP ECC, SAP S/4HANA, and Oracle Database. As part of the preview, users can automatically scan and classify data that resides in on-premises data stores with the Azure Purview Data Map.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

Recommended Reading:

More Insights

The Unc0ver team has released a tool that works on iOS 11 and later, and exploits a vulnerability that was recently under attack.

Unc0ver, a team of hackers behind the jailbreak tool, released a new tool that works on nearly every iPhone model and exploits a flaw that Apple reported was under active attack last month.

The group says its new tool works on iOS 11 to iOS 14.3, which was rolled out in December 2020.

It reportedly includes an exploit for CVE-2021-1782, an iOS vulnerability in the kernel that allows an attacker to gain privilege escalation and affects devices including the iPhone 6 and later; iPad Air 2 and later; iPad mini 4 and later, and the 7th-generation iPad touch. In a tweet, a hacker with the Unc0ver team says the group wrote its own exploit for the vulnerability. 

The flaw was under active attack at the time Apple deployed a patch in iOS 14.4 earlier this year, along with fixes for two other iOS zero-days. It did not provide details on attacks using the flaw. At the time, it gave “an anonymous researcher” credit for reporting each of the vulnerabilities.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Earnings report points to diversion of care during incident for financial loss.

A ransomware attack last fall cost Universal Health Services $67 million in pre-tax losses, the healthcare provider confirmed in an earnings report released today.

Referring to it as an “information technology security incident,” UHS officials said the cyberattack forced the organization to suspend user access to several information technology applications in the US during the attack. No evidence of unauthorized access, copying or misuse of any patient or employee data was identified to date, according to UHS, one of the largest hospital and healthcare services providers in the US.

The disruption caused by the attack prompted UHS staff to divert ambulance traffic and elective/scheduled procedures at UHS acute care hospitals to competitor facilities during the recovery time, which UHS said affected its finances.

“We also incurred significant incremental labor expense, both internal and external, to restore information technology operations as expeditiously as possible,” the earnings report stated. “Certain administrative functions such as coding and billing were delayed into December, 2020, which had a negative impact on our operating cash flows during the fourth quarter of 2020.”

The full earnings report can be found here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

A new document provides guidance for businesses planning to implement a zero-trust system management strategy.

The National Security Agency (NSA) today published a document to explain the zero-trust model and its benefits, challenges involved with implementation, and advice to navigate the process.

As cloud, multicloud, and hybrid network environments become the norm for businesses, the resulting complexity, combined with evolving threats, puts many at risk. Traditional perimeter-based network defenses with layers of security tools are often insufficient. Companies need a better way to protect infrastructure and provide granular access to data, services, and apps.

“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses,” NSA officials wrote.

Zero trust requires strong authentication for both user and device identities. Use of multifactor authentication, which is recommended in this model, can make credential theft more difficult. 

The implementation of zero trust takes time and effort, but it doesn’t have to be done all at once. Many businesses may be able to incorporate zero-trust concepts into existing network infrastructure; however, the transition to a mature architecture often requires additional capabilities. Officials advise planning out the integration as a “continually maturing roadmap,” starting with initial preparation and continuing on to basic, intermediate, and advanced stages.

As with all major projects, there are challenges. Officials note potential roadblocks include lack of support from enterprise leadership or users. If leadership isn’t willing to provide the needed resources to sustain a zero-trust architecture, or users are allowed to bypass policies, then zero trust won’t prove beneficial, they say.

Read the full document here for more details.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights