by

The Role of Penetration Testing in Optimizing Zero Trust Policies

Introduction

As businesses around the globe are thriving thanks to digitalisation, so do security-related threats which could undermine daily business operations possibly causing millions of dollars of losses. Security threats are often misconstrued as external threats that can cause harm to businesses. However, the truth is security threats can be both external entities and insiders such as the employees, contractors, and suppliers within your organisation.  Insiders have privileged access to sensitive data such as intellectual property and client data, which can be both accidentally and purposefully lost, destroyed, or exfiltrated. There can be various circumstances that may introduce or lead to insider threats. A disgruntled employee for instance, may choose to destroy or leak sensitive business data as a revenge to the organisation’s management. A seemingly innocent office janitor may be bribed into leaving a door unlocked or plugging in an obscure device to the back of a PC. An employee facing financial difficulties at home may be tempted to commit fraudulent activities for personal gain. Home worker devices may be infected with malware which spreads throughout the internal corporate network. To date, ransomware have caused businesses millions of dollars both in data loss and reputational damage.

A growing trend of companies adopting security measures against security threats suggests that they are aware of its importance. It is also important to guide companies on how to correctly set up security measures in place to make it more effective. Most businesses have relied on a castle-and-moat security model approach which trusts anyone within the company’s defence network (implicit trust) and those outside of the defence ring are considered as potential threats.

This approach has proven to be a dangerous set up. Blindly trusting users inside the defence perimeter has resulted in many costly data breaches, with external attackers able to move laterally throughout the network if they make it past the defence perimeter.

 

Which approach is most suitable?

Zero trust: “never trust, always verify.”

What could be the best approach to reduce the likelihood of both external and internal threats? An approach called Zero Trust is a security strategy that helps by eliminating implicit trust and continuously validating users at every stage of interaction with the internal system resources. Within the Zero Trust strategy, all access requests are treated as potentially malicious and would therefore need to be validated continuously.

Zero Trust architecture is built based on a primary goal which is to reduce a network's attack surface, prevent lateral movement of threats, and lower the risk of a data breach.

 

What is needed to implement Zero Trust?

There are several key factors that require consideration during the planning stage to ensure the coverage and its effectiveness. The key step towards a successful Zero Trust implementation is to define the attack surface. The main objective is to identify key or critical areas that need to be protected. This also acts as a guide to help prevent an organisation from being overwhelmed with policy implementation and deploying security tools across the entire network unnecessarily.

Definitions:

 

  • Sensitive information/data

Sensitive data is confidential information that must be secured and out of reach from all unauthorised personnel unless they have permission to access it. This includes the PII data of customers and employees (personally identifiable information), as well as proprietary business information you do not want to fall into the wrong hands.

  • Physical assets

Physical assets can be servers, IoT devices or any other network appliances that run the whole infrastructure that allows businesses to run. Securing physical assets is as equally important as securing digital assets. If left unchecked, critical physical assets can be accessed by malicious actors who wish to cause harm. Access to critical physical assets must be restricted and follow a strict access policy.

  • Critical applications

These are the applications that play a key role in an organisation’s crucial business operations. An example of these applications are financial-related applications that process thousands of transactions daily.

  • Other services

These include the technical functions of your infrastructure used to support the day-to-day work of employees and executives, as well as those that facilitate customer sales and interactions.

 

Basic Example of Zero-Trust Model

Authentication and authorisation of each access point is the primary line of defence. Every time a user or a device makes a connection, it is essential to verify its access rights by going through a verification process based on the Zero Trust policy before allowing access to the network and other assets.

 

Other requirements for an effective Zero Trust model:

  • Only secure and authorised connections are allowed to access internal resources such as the use of a VPN. VPN allows for a secure pathway or tunnel from one endpoint to another. This implementation only grants access to only the appropriate users.
  • It’s a safe practice to only allow lower-level privileges to users at the beginning and only grant them higher of access rights through a strict process when required to perform certain tasks.
  • Network monitoring is crucial to identify anomalies and suspicious activities.
  • Implement authentication mechanisms at all levels of access.

 

Challenges in Implementing Zero Trust

Zero Trust implementation requires a certain level of understanding of common issues which include complicated network infrastructure, effort, costs, and the need for flexible software solutions.

It is important to acknowledge that complex network infrastructure comprises of servers, databases, and applications as well as legacy and modern technology. These do not necessarily run on-premises, but may also run in the cloud. Securing each segment of your network, as well as meeting the needs of a cloud or on-premises environment, can raise a number of obstacles.

Formulating a way to segment network infrastructure and who should be allowed access to resources requires careful thought and collaboration. To ensure effective authorisation and verification, it is important to find the best ways to verify the legitimacy of each user and device before it is granted access. Allocating a human resource to get this done in an efficient manner often incur significant costs, particularly if you do not have a system that, by design, integrates well with your environment.

The flexibility of software to run the system is key to succsessfully implementing Zero Trust. You may have to incorporate several micro-segmentation tools, identity-aware proxies, and software-defined perimeter (SDP) tools. Without flexible software, you may have to purchase redundant systems to protect all elements of your environment which can result in the increase of unnecessary costs.

 

Penetration Testing to Assess Zero Trust Effectiveness

Penetration testing is a way to test and validate your existing security controls. Any findings during penetration testing activities will be flagged according to their severity level. Based on the identified issues, companies can use this information to identify what aspects of Zero Trust they should be focusing on especially the ones that could have a significant impact on the business.

Other than that, penetration testing can provide feedback on the effectiveness of the Zero Trust policy. With this information, any existing policy can be reviewed and enhanced where needed. For example, critical areas that are only protected with a username and password are not sufficient. The test can identify the issue and would recommend an additional layer of security such as multi-factor authentication (MFA) as a validation mechanism to mitigate brute-force attacks that allow malicious actors from gaining unauthorised access.

Are you concerned about the security of your organization's sensitive information? At ProCheckUp, we offer top-notch penetration testing services to help identify vulnerabilities in your system and ensure the security of your data. We understand that implementing Zero Trust is crucial, but it's not a one-size-fits-all solution. That's why we take the time to understand your business and design a customized plan that aligns with your business goals and risk tolerance.

Visit our website at https://procheckup.com/ to learn more about our services and how we can help you protect your organization's valuable information.

 

References:

  1. https://www.fortinet.com/resources/cyberglossary/how-to-implement-zero-trust
  2. https://nordlayer.com/learn/zero-trust/what-is-zero-trust/
  3. https://www.microsoft.com/en-us/security/business/zero-trust
  4. https://securityboulevard.com/2022/11/adopting-zero-trust-with-chris-reinhold-pen-testing-zero-trust/