“The Colonial Pipeline got hacked, big deal. It won’t happen to me. I’m sure my IT guy has it covered, I have Anti-Virus and other stuff." These are the lies Business managers tell themselves until it's too late.
Chuck Poole, CEO, CISSP
PalmTech Computer Solutions
You may think your business’ Cyber Security is good enough, but if you are not doing the 4 things outlined in this article, I guarantee you will get hacked just like Colonial did.
Times have changed but most businesses have not. The average business relies on a handful of old technologies and hardware that they assume will provide a reasonable level of protection from all cyber threats. These include things like Anti-Virus, firewalls, patch management, and spam filters. Because these older technologies are well understood by hackers, they are easily circumvented and offer little protection against modern threats. The other issue with these tools is that they rely on their ability to only block the threats that are already well known, rather than focusing on detecting new and unrecognizable threats. Every day new techniques and methodologies are being developed by hackers and this is bad news for businesses who don’t regularly evaluate and implement new security technologies. Add to this the fact that human error accounts for 29% of all data breaches, and you have a recipe for disaster. Even your smartest employees can be duped into clicking on a link or facilitating an entry point for hackers to access your network, becoming yet another statistic in a rapidly growing multi-billion-dollar cybercrime industry.
If you are utilizing legacy technologies, even those developed within the last 3 years, it is not a matter of IF you will be hacked, it is a matter of WHEN.
While nothing can guarantee that you and your business will ever be 100% secure from cybercrime, there is a modern principle that has been adopted by Certified Cyber Security professionals all over the world that will help fill many of your existing gaps. The principal is called Zero Trust.
What Is Zero Trust?
Zero Trust is a philosophy centered around not trusting any person or device by default. Zero Trust is a framework that takes security measures a step further. So, if the saying Everyone is innocent until proven guilty is anti-virus, Zero Trust is Everyone is guilty until proven innocent. Anti-virus is reactive, while Zero Trust is proactive. And here is why:
- With anti-virus, by default you can download and install an application to your device and the anti-virus software compares it to a list of “known bad” applications. The problem is, not all threats are detected because hackers are constantly changing them around to make them invisible to Anti-Virus pattern-matching technologies. Once the application has been downloaded and starts deploying threats, anti-virus will only detect any recognizable threats and alert you after the fact. By then, as in the case of Colonial, it's often too late.
- Meanwhile, Zero Trust will not permit you to download the application at all. You must go through numerous layers of security measures to verify to your Zero Trust policy that you are the administrator of that device and the application is approved before anything can be added to the computer.
Enterprises of all sizes are increasingly implementing a Zero Trust Security model into their business; especially in the new age of remote work where network security may be at its weakest. Implementing a Zero Trust model grants their employees just enough access to do their work—nothing more, nothing less. For businesses, the Zero Trust Security model extends beyond devices and applies to all employees as well.
In our practice, we serve businesses with 20 to 300 computers. Our experience tells us that when a breach occurs it almost always starts with the exploitation of a PC, or mobile device, often with the unwitting help of a user. So how does Zero Trust help to keep your data secure? The simple answer is a series of evolving checklists and tools that continuously enforce best security practices including the core principle of “Least privilege”. This includes:
- Preventing unauthorized devices from attaching to your networks
- Whitelisting applications that can run on those respective devices
- Verifying every user login at any point in the network or on any device
By strictly controlling what devices, users, and applications are present on your network, the user is kept in a tight box with layers of restriction that prevents them from accidentally giving access to a hacker.
What Are Some Examples Of Zero Trust? Why It Should Be Your Primary Defense.
While Zero Trust is mostly a framework of principals to apply layers of security to your network, for the purposes of the remainder of this article we will outline what our certified experts have chosen to implement to combat computer and email breaches that represent the largest risk to a small business. The two key items hackers are looking to acquire when trying to gain control of a server or a computer are a set of credentials (username/password) or to get an employee to run or install something through various forms of trickery. The two biggest ways a hacker does this is through phishing emails, emails carefully crafted to entice viewers to click on a harmful link or download, or a compromised website.
How do you stop these things from happening in the first place? One thing I can tell you without a doubt is: You do not want to rely on Anti-virus. As I mentioned before, Anti-Virus is reactive not proactive. If the AV does not yet know about a present threat, it will initially allow the rogue application to run on your device. By the time the application is running on your computer, even if AV detects the threat later, it is often too late and the damage is done.
Zero Trust Examples For Computers and Other Endpoint Devices
1. Zero Trust for Identity. Enable Multi-Factor Authentication (MFA or 2FA) for all users across all accounts and devices. MFA provides an additional layer of security each time a user logs into their device, accounts, and any other data assets. The objective of MFA is to verify that the user logging in is the owner of the corresponding device or account before logging them in completely. Almost every major service now has this feature built in and usually involves sending an access code to the user’s mobile phone as a second way of verifying user’s identity. The problem in many cases is that IT professionals do not offer enabling this feature to their clients or employees. I cannot stress this enough: MFA needs to be enforced not just for network services but also to log into your local PC’s.
2. Zero Trust for Devices. What if a hacker steals or compromises a device that a user needs for Multi-Factor Authentication verification? Or what if someone brings their own device and attaches it to your network in an attempt to hack you? By properly deploying and configuring the latest cyber-security tools that whitelist each device, you can block rogue devices and non-corporate assets from connecting to your network. This adds another layer to Zero Trust to help prevent intrusion.
3. Zero Trust for Applications. What happens when you have a legitimate user who accidentally clicks on something they should not have? Without the latest tools in place that prevent non-approved applications or scripts from running, there is nothing to stop a hacker, or an employee for that matter, from installing whatever they want. Even if you currently have some restrictions in place, hackers have advanced tools that can often bypass operating system controls. Having a security tool that is constantly running in the background to verify compliance is a modern required principle of Zero Trust.
4. You need a safety net, and it needs to be monitored 24/7/365. Even with a Zero Trust security model in place, there is still the potential of a very sophisticated crime ring beating even the strictest Zero Trust Policies. The last line of defense is a NextGen Endpoint Detection and Response System (EDR). EDRs monitor the behavior of applications running on your computers. They detect suspicious activity such as rogue applications encrypting and deleting your files, or a bitcoin miner running in the background sapping your computer’s resources. Unlike a traditional Anti-Virus, EDRs are designed to detect thousands of behaviors and can automatically isolate a PC from the network and raise the flag to a Security Operations Center (SOC). Once the SOC detects the alerts, they can log into the affected computer, and in many cases roll back the changes. This can eliminate hours of expensive remediation time in addition to the cost of downtime from idle employees.
Implementing a Zero Trust Security Model into your business’ operations is more important now than ever. For more information on a Zero Trust Framework for your business, please contact PalmTech Computer Solutions for a complimentary security checklist and evaluation.
K, Branko. “15 Eye-Opening Data Loss Statistics from 2021: Data Security Matters.” HostingTribunal, 26 Feb. 2021, hostingtribunal.com/blog/data-loss-statistics/.
About the Author: Chuck Poole, CISSP, CEO of PalmTech Computer Solutions
More than 40 years ago, Chuck Poole set his eyes on one of the first "Personal Computers" commercially available and it was love at first sight. He was so enamored with computers that some people worried he might never do anything else - and they were absolutely right. Learn More.