For credentials, this is the new seven commandments of zero trust

Credential security company Beyond Identity launched the Zero Trust Authentication initiative for organizations to crack user credentials, with support from large companies.

Zero trust a framework that protects infrastructure and data, in part by eliminating arbitrary perimeters and requiring authentication of all users and endpoints externally and internally. Therefore, it contains credentials.

In an effort to codify how IT should be applied in practice, companies including Zero Scaler, Optiv, Palo Alto Networks, Crowdstrike and Ping Identity are supporting an initiative led by security firm Beyond Identity that creates a zero-trust architecture for seeding corporate accounts. and credentials against phishing and ransomware, among other threats.

On March 15, 2023, the company held a virtual opening in New York City to announce the program, which aims to address the weak links in security, passwords and MFA that enable attacks like the one that led to the LastPass engineer’s corporate laptop being hacked. 2022.

SEE Mobile Device Security Policy (TechRepublic Premium)

“Basically, we’re talking about authentication, but authentication that goes to the zero trust level,” said Patrick McBride, director of marketing at Beyond Identity. “Because so many authentication protocols are easily bypassed – not even a speed bump.”

Jump:

Passwordless, phishing-free protocols among ZTA measures

The company outlined a series of measures organizations can take to strengthen defenses and isolate endpoints from lateral movement:

• Passwordless – Don’t use passwords or other shared secrets, as they can be easily obtained from users, captured on networks, or hacked from databases.
• Phishing-proof – There is no way to obtain codes, magic links or other authentication factors through phishing, man-in-the-middle or other attacks.
• Ability to validate user devices – Ensure that requesting devices are associated with a user and are authorized to access information devices and applications.
• Able to assess device security posture – It can determine whether devices are compliant with security policies by verifying that appropriate security settings are enabled and security software is actively running.
• Able to analyze a wide range of risk signals – Able to process and analyze data from endpoints, security and IT monitoring tools.
• Continuous risk assessment – ​​Ability to assess risk during a session instead of a one-time authentication.
• Integrated with security infrastructure – Integrates with various security infrastructure tools to improve risk detection, accelerate responses to suspicious behaviors, and improve audit and compliance reporting.

How to achieve high security credentials

McBride said that passwordless, phishing-resistant MFA is key to creating high trust in user identity, e.g. FIDO2 password: a FIDO2 password.

Based on FIDO authentication standards and using asymmetric public/private pairs, FIDO2 login credentials are unique to each site and, like biometric passwords, never leave the user’s device and are never stored on a server. I’m not sending anything over the network that a bad guy could use,” added McBride (Figure A).

Figure A

Chris Cummings, vice president of products and solutions at Beyond Identity, explained that continuous monitoring is critical to security. He said Beyond Identity’s policy engine receives the signals and sends instructions to Okta’s single sign-on to authenticate or deny authentication, or to perform an action on a particular device (such as quarantining it until the user or IT can examine). .

“The concept of continuity comes from Palo Alto Networks,” he said. “They place a lot of emphasis on continuity, and they work with us because we provide continuous verification — one of the seven elements of Zero Trust Authentication — and that’s what they do to access applications.

A key aspect of the implementation is ease of use — removing time-consuming tasks for the user of a valid endpoint device, McBride noted.

End users want quick access to their devices, he said, and despite cumbersome, high-friction security methods, forcing users to do so often leads users to turn them off entirely. “We think you can have your cake and eat it too: high security with low friction,” McBride said.

Bypassing passwords and MFA

According to McBride, the ZTA principles help organizations overcome the limitations of passwords and multi-factor authentication. “Authentication methods are not working. Passwords are fundamentally flawed, so if you store them or transmit them over a network, they get stolen, and 75-80% of all initial access comes from these problems,” he said.

ZTA protocols include risk scoring and what the company calls continuous authentication capabilities — risk-based and updated authentication decisions based on data from cybersecurity tools for an “always-on” zero-trust world, according to the company.

SEE: 1Password looks toward a password-free future. Here’s why (TechRepublic)

Threats in the wild: Multiple attack vectors via valid accounts

The Miter ATT&K framework keeps a log of cyber threat actors and techniques. Among them, 17 credential access techniques are used to obtain and abuse the credentials of existing accounts to gain access, persist within the system, extend privileges, and more. The organization notes that the credentials can even be used to access remote systems and external services, including VPNs, Outlook Web Access, network devices, and remote desktops.

A brief sampling of the more than 40 threat groups that Mitr reports have used valid accounts over the past decade and a half:

• APT18: Uses legitimate credentials to log into external remote services to target the technology, manufacturing, human rights groups, government, and medical industries.
• Axiom: A suspected Chinese computer espionage group that previously used compromised administrative accounts to escalate privileges.
• Spider Wizard: A Russian state actor who uses valid credentials for privileged accounts to gain access to domain controllers.
• Polonium: A Lebanon-based group primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies using valid compromised credentials.

“The initial vector of choice for attackers is valid accounts,” McBride said. “Sophisticated actors use it all the time, and they have an arm’s length list of bad actors used, and they use them because they’re the ‘easy button’. They don’t want to zero-day or use a really sophisticated method when there’s an easy-to-use button.”

He added that contrary to popular belief, phishing is the second most common way ransomware is installed. The #1 login with stolen credentials to gain remote access to software, desktops, or servers. “Weak authentication has real consequences,” he said.

“Year after year, identity and authentication vulnerabilities continue to be the largest source of ransomware and security incidents, so something fundamental needs to change to eliminate this vulnerability and allow organizations to meet the White House, NIST, and security standards issued by CISA,” Chase Cunningham, director of strategy at Ericom Software, which supports the initiative, said in a statement.

Jay Bretzmann, Research Vice President, IDC, added: “Delivering on the promise of zero trust requires continuous verification of identity – user and device. Beyond Identity has chosen the approach of using signals from the security infrastructure in near real time. raise security standards and leverage existing security infrastructure investments in EDR and SASE tools.”