Zero Trust Combats Credential Compromise Danger

---

The Zero Trust Security Approach is Today’s Answer to Cybercrime

---

Zero trust has gained prominence as a security framework in the wake of 2021’s major ransomware attacks against infrastructure. The model’s central principle is just like that motto from the X-Files: trust no one.  Broadly, zero trust is a security concept that adds layers of complexity yet creates a stronger overall security framework in order to reduce the chance that cybercriminals are able to gain access to systems and information. With the US federal government committed to moving to a zero trust model in 2022, learning more about why can offer insight into why a zero trust model may be ideal to combat today’s rapidly shifting risk landscape.  

---

---

The US Federal Government is All In on Zero Trust

---

The National Institute of Standards and Technology (NIST) is the federal agency tasked with developing policy and procedures that set zero trust security requirements that will be followed by agencies and some contractors. The agency defines zero trust architecture (ZTA) as “An enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”  

NIST has long had publications available to help cybersecurity professionals understand the zero trust model and build a strong zero trust framework. NIST Special Publication (SP) 800-207 Zero Trust Architecture is the comprehensive guide to architecting a zero trust framework. NIST also has a draft whitepaper available, Planning for a Zero Trust Architecture: A Starting Guide for Administrators. The slideshow Zero Trust 101 is also packed with helpful information. The US federal government’s journey to a universal zero trust framework began in May 2021 when President Biden issued a far-reaching executive order on improving cybersecurity for federal agencies and infrastructure targets after the Colonial Pipeline attack. The order came with various directives for Federal Civilian Executive Branch agencies. Among other efforts, the order focused on the federal government’s advance toward zero trust architecture. Abundant federal resources are being funneled into that effort. 

---

---

Old Ideas Are Dangerous These Days

---

Many companies have still been using the old castle-and-moat architecture to secure their systems and data, and that’s a fast path to trouble these days. Organizations that are focused on defending their perimeters traditionally while assuming every user and device that already had access doesn’t pose a cybercrime threat – automatically clearing those users for access at whatever their set permissions level was with no further confirmation of identity required – may not be making the smartest security choices. That architecture leaves organizations dangerously vulnerable to an array of nasty cyberattacks from credential stuffing to malware if anyone manages to get their hands on a legitimate password or obtain access through a trusted device. 

These days, that’s an incredibly dangerous proposition. An abundance of records on the dark web just keeps growing, adding more passwords and bigger stores of information to the pot that cybercriminals can use to mount credential stuffing attacks and other password-based cyberattacks. Just this year, a massive 100GB text file dubbed RockYou2021 was leaked by an anonymous user on a popular hacker forum. This new cache of data is estimated to contain 8.4 billion passwords, ready to use in cybercrime operations. That’s in addition to the massive quantity already available. Experts estimate that 60% of the data that was already on the dark web at the start of 2020 could harm businesses and approximately 22 billion new records landed in dark web data markets and dumps in 2020, providing further fuel for cybercrime.   

---

---

Phishing & Credential Compromise Are at the Root of the Problem

---

Phishing is another part of that picture. In a zero trust scenario, a phished password doesn’t have the bite that it has in alternative architectures. But when cybercriminals can use credentials obtained through phishing to access a company’s network it makes it easy for them to do serious damage quickly. Phishing has reached dizzying heights in 2021. In a 2021 survey,  74% of respondents said that their companies had been successfully phished in the last year. Every industry is facing an unprecedented onslaught of phishing, but a few stand out as the most likely to have a phishing incident lead to credential compromise. In which industries will cybercriminals find the people who are most likely to submit credentials or share information? These are the top 5 most vulnerable industries:   

The Top 5 Sectors in Which Phishing Leads to Credential Compromise  

Apparel and accessories  

Consulting  

Securities and commodity exchanges  

Education  

Conglomerates/Multi-Nationals 

An experiment by Canadian security researchers exposed the sad truth: an estimated 25% of Noth American workers tested were fooled by phishing emails, leading to some dangerous consequences.  

• 67% of clickers (13.4% of overall users) submitted their login credentials, up substantially from 2019 when just 2% submitted their credentials  
• The Public Sector and Transportation workers struggled the most, posting a click rate of 28.4%  
• The Education, Finance and Insurance sectors performed considerably better than others, with click rates of 11.3% and 14.2% (tied)  
• Users in North America struggled the most with the phishing simulation, posting a 25.5% click rate and an 18% overall credential submission rate  
• About 7 out of every 10 clickers willingly compromised their login data  
• Users in Europe exhibited lower click and submission rates of 17% and 11%, respectively. 

---

---

Building a Zero Trust Future

---

Building a zero-trust framework is the way to combat some of that heightened risk. One key provision of zero trust is that within that framework, an organization does not automatically trust or grant blanket permissions to anything inside or outside its perimeters, no matter who the user is, not even an executive’s password. Instead, everyone from the CEO to the marketing intern must verify their identity every time they try to connect anything to their organization’s network or systems before granting access. This extra step is crucial for covering unexpected security gaps. The guiding principle to remember in this model is that every potential connection attempt to the network being secured by any person or device should be considered suspicious until proven otherwise. 

The National Institute of Standards and Technology (NIST) has also launched an initiative led by NIST’s National Cybersecurity Center of Excellence to explore how zero trust security functions in different business environments. For the Implementing a Zero Trust Architecture initiative NIST is partnering with 18 leading technology companies to explore the process of building and implementing zero trust security architecture as it prepares to draft guidance for how zero trust is to be implemented at federal agencies as well as creating new resources to make the process easier for companies in the private sector.  

The agency has said that the 18 companies participating in the zero trust project will provide examples of integrating commercial and open-source products that leverage cybersecurity standards and recommended practices. The goal is for NIST to develop a new publication that outlines zero trust security implementation for enterprises as well as federal internal use in a proposed publication, The Cybersecurity Practice Guide. Example implementations will integrate wisely available commercial and open-source products that leverage zero trust cybersecurity standards and recommended practices to showcase the robust security features of zero trust architectures.    

---

---

Smart Solutions Help Build a Zero Trust Defense 

---

Choosing solutions that are built with zero trust principles in mind from the ground up can help businesses make their journey through zero trust implementation to stronger security faster. The ID Agent digital risk protection platform can help.   

Dark Web ID enables you to get a clear picture of your company’s credential compromise threats from dark web sources. Our 24/7/365 always-on monitoring alerts businesses to credentials appearing on the dark web that may have been stolen or phished to mitigate the risk of bad actors using a stolen password to gain access to your systems and data. Automated alerts and reporting mean that your team doesn’t need to spend time staring at a dashboard or pulling reports.    

BullPhish ID improves your staff’s security awareness and increases phishing resistance. But they’ll learn about much more than just phishing including compliance, password safety, security hygiene and more, giving every employee a solid grounding in cybersecurity pitfalls and best practices. Choose from our plug-and-play complete training modules and phishing simulations or customize the content to reflect the unique industry risks those employees face daily.   

See them in action in these short demonstration videos: https://www.idagent.com/learn-more    

Contact our solutions experts today to learn how your business can benefit from strong, affordable security and receive a personalized demonstration. 

---

---

---

---