Trust Nothing: What Does Zero Trust Mean and Why is It Important?
You may have heard about ‘zero trust’ recently. But what does this term really mean? Can you trust anyone these days?
Unfortunately, most IT experts now say the answer is a resounding ‘no.’ Do not trust anyone with your valuable information, or you may find yourself on the wrong side of cybercrime, paying a ransom or having your personal data exposed.
Trust is a dangerous word
Zero trust is an emerging topic. It’s a way of thinking about cybersecurity and architecting secure networks.
Sometimes referred to as ZTN or ZTNA, the main idea behind zero-trust network architecture is not to trust things “inside” a network or trust anything automatically or by default. Don’t trust anyone or anything.
Just because we have a username and password doesn’t prove that we are the user those credentials belong to. Instead, everything must be verified. Regularly. And monitored and analyzed. Everything is assumed to be under constant attack, and that adversaries have already breached defenses.
Security needs to adapt and require more points of data than just a username or password. Device, location, time of day, a second factor (2FA) or additional factors (MFA) for authentication and more can be incorporated when deciding if something should be allowed access or not and to hunt out anomalous or suspicious activity.
Why does it need to be this difficult?
As IT security evolves, so do the techniques criminals rely on. It is a vicious cycle. Here are some examples, both classic and modern, that illustrate why all users online should prepare for a zero-trust world:
Spoofing: Cybercriminals can deceive by appearing as another person or source of information. Crooks can easily learn a lot about you: your birthday, age, address, habits, and likes/dislikes are freely available for anyone to see. People can also research your relatives and previous home addresses and phone numbers. Criminals will use this against you.
Brute force attacks: A commonly used form of attack for cracking passwords, brute force attacks flood an account with combinations of random words until the correct password is discovered. Many consumers still use the same passwords for multiple accounts, so once they’re into one account – chances are they’re into several.
Credential stuffing: Stolen usernames and passwords from public data breaches are used to log into anything and everything. And with password reuse still so common, if you get one, you get them all.
Social engineering: Human hacking. High pressure tactics like a friendly voice calls you and talks about ‘helping’ you with a costly fee that the government will be charging you next year “if you don’t sign up right now.” Even if they don’t get your account information, they’ve still gained information about you – including the fact that you will answer a call from an unknown phone number. Or someone from work pressuring you to urgently send that internal information or you’re in trouble! Take a breath. Nothing is ever so urgent it shouldn’t be verified. Stop and discuss with your colleagues and security team if something is legitimate or not.
What can we do?
The zero-trust world has already begun. Google will show a notification on your phone if you are logging into Gmail from a different computer than you usually do. Apple will notify your old iPad if you log into iCloud on a new iPhone. Banking apps will want to scan your face or fingerprint every time you open the app or require security software be installed before you can log in.
Zero trust technologies continue to roll out into consumer technology but there are still many platforms and services that aren’t zero trust. It’s important to continue practicing safe cybersecurity habits:
- Use unique, passwords that are hard to guess. Change them regularly.
- Keep your devices and router up to date with the latest program version.
- Don’t click unknown spammy links from unusual or suspicious email addresses.
- Be vigilant with your antivirus and spam protection when using every device, every time.
- Back up pictures and valuable documents on a USB thumb drive. Put it in an envelope with a date and take it to a safe deposit box if it is really important information.
Better cybersecurity can become a habit for you and your family if it is practiced every day. Paying attention to what is happening in the world of cybercrime will help protect your valuable information if your devices are ever stolen or accounts are compromised.