Zero Trust Progress: The Best Defense Is a Good Offense

Business, As Usual, Is No Longer an Acceptable Cyber Defense

The way the adage goes is that the best defense is a good offense and in wake of the latest cybersecurity data breaches of Last Pass and Apple, the offense in question is facing deeper scrutiny. According to a NextGov report, most government agencies are ahead of corporations in adopting and implementing zero trust architecture with 72% of government organizations reported to already be implementing the framework in comparison to just 56% of companies. The data published within this report seems to suggest that businesses are viewing the transition to a zero-trust model as a lower priority and remain slow to act when it comes to the change. However, following the news of these recent, high-profile breaches and the release of this report, it seems to be in companies’ best interests to take the transitory leap sooner rather than later. Sai Huda, Chairman, CEO of CyberCatch and globally recognized risk and cybersecurity expert says that given the continuing and increasing cyber-attacks. Business, as usual, is no longer an acceptable cyber defense.

Zero Trust: A Journey to Optimal Cyber Security

As the threat landscape continues to evolve, Huda firmly believes that Zero Trust is a vital player in an optimal cyber security program.

“Zero trust is a journey to optimal cyber security. The ultimate objective of zero trust is to have a cyber security program in place that trusts no one and nothing and enforces continuous proofing to keep threat actors out and prevents data theft, ransomware, or other adverse outcomes,” Huda said.

The recent actions taken by federal agencies seem to indicate that they might agree.

President Joe Biden’s 2021 executive order claims that federal agencies have made “tremendous” progress toward implementing cybersecurity upgrades mandated and that the Cybersecurity & Infrastructure Security Agency (CISA) with the assistance of partner agencies has worked with the National Institute of Standards and Technology (NIST) to develop an inventory of critical software. This inventory includes placing strict development and security controls on software providers, according to written testimony from Eric Goldstein, executive assistant director for cybersecurity at CISA.

The data highlighted, indicates that agencies are making the transition to zero trust more quickly and completely than corporations are, so, naturally the status of just how far along the government has progressed in these initiatives has come under question. According to a data brief published in May 2022, by the end of the fiscal year, more than 50 federal agencies expect to have EDR Technology. These technology platforms can alert security teams of malicious activity and enable immediate investigation and containment of attacks on endpoints.

Current Cybersecurity Strategies

Biden’s executive order comes at a time when most organizations feel unprepared to defend themselves against cyber attacks. Based on the opinions of 400 IT professionals and leaders involved in their company’s cybersecurity strategy, Cybersecurity Dive found that almost one in five organizations is not prepared for a potential ransomware attack. About 15% of respondents said they were unprepared for an attack, either very unprepared or somewhat unprepared. The NextGov report along with the highly publicized data breaches of LastPass and Apple may serve as a signal to companies that it’s time to make the full transition to zero trust.

The Impact of Recent Data Breaches

Last Pass, a popular password manager system used by over 33 million people in the world, announced a recent data breach via their CEO Karim Toubba who wrote that “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.” Those who use the platform were assured by Toubba that their password vaults remained uncompromised, with the company claiming: “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults”.

Although Last Pass hasn’t been immune to hackers before; in 2021, it faced a similar conundrum when credential stuffing was reported, putting master passwords and usernames at risk.

In a similar fashion, tech company Apple suffered a recent cyber attack that left the company warning its users of security flaws with the potential for serious exploitation from hackers. If successful, hackers could potentially gain full admin access to devices: the iPhone6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running macOS Monterey.

What Can We Learn From This Report?

Why should businesses pay attention to this report? Huda believes that CISA is expected to issue the final zero trust maturity model soon.

“CISA is expected to issue the final zero trust maturity model anytime now. But in the meantime, all federal agencies, federal contractors, and the rest of the supply chain and the industry should implement the prescribed cybersecurity controls and proactively mitigate cyber risk,” Huda said.

“The zero trust maturity model will become the law of the land soon. Thus It is necessary to stay one step ahead of the threat actors and keep our nation and businesses safe.”

Until then, what is his recommendation? Implementing cybersecurity controls and proactively mitigating cyber risk should be a priority for all federal agencies, federal contractors, and all other sectors and supply chains.