Last summer, law enforcement officials contacted both Apple and Meta, demanding customer data in “emergency data requests.” The companies complied. Unfortunately, the “officials” turned out to be hackers affiliated with a cyber-gang called “Recursion Team.”
Roughly three years ago, the CEO of a UK-based energy company got a call from the CEO of the company’s German parent company instructing him to wire a quarter of a million dollars to a Hungarian “supplier.” He complied. Sadly, the German “CEO” was in fact a cybercriminal using deepfake audio technology to spoof the other man’s voice.
One set of criminals was able to steal data, the other, money. And the reason was trust. The victims’ source of information about who they were talking to was the callers themselves.
What is zero trust, exactly?
Zero trust is a security framework that doesn’t rely on perimeter security. Perimeter security is the old and ubiquitous model that assumes everyone and everything inside the company building and firewall is trustworthy. Security is achieved by keeping people outside the perimeter from getting in.
A UK doctoral student at the University of Stirling named Stephen Paul Marsh coined the phrase “zero trust” in 1994. (Also called “de-perimeterization,” the concept was thoroughly fleshed out in guidelines like Forrester eXtended, Gartner’s CARTA and NIST 800-207.)
Perimeter security is obsolete for a number of reasons, but mainly because of the prevalence of remote work. Other reasons include: mobile computing, cloud computing and the increasing sophistication of cyberattacks, generally. And, of course, threats can come from the inside, too.
In other words, there is no network edge anymore — not really — and even to the extent that perimeters exist, they can be breached. Once hackers get inside the perimeter, they can move around with relative ease.
Zero trust aims to fix all that by requiring each user, device, and application to individually pass an authentication or authorization test each time they access any component of the network or any company resources.
Technologies are involved in zero trust. But zero trust itself is not a technology. It’s a framework and, to a certain extent, a mindset. We tend to think of it as a mindset for network architects and security specialists. That’s a mistake; it needs to be the mindset of all employees.
The reason is simple: social engineering is a non-technical hacking of human nature.
Why only zero trust can beat social engineering
One basic approach to applying zero trust to the challenge of social engineering attacks is old and familiar. Let’s say you get an email that claims it’s from the bank and says there’s a problem with your account. Just click here to enter your username and password and resolve the problem, it says. The right way to handle this situation (if you’re not sure) is to call the bank and verify.
In any kind of social engineering attack, the best practice is to never use the access method provided to you, but to get your own. Don’t use the person contacting you as your source of information about who is contacting you. Verify independently always.
In the past, it has been easy to spoof an email. We’re facing an immediate future where it will be just as easy to fake live voice and video.
Beyond email spoofing, organizations can also be attacked by phishing, vishing, smishing, spear phishing, snowshoeing, hailstorming, clone phishing, whaling, tabnabbing, reverse tabnabbing, in-session phishing, website forgery, link manipulation, link hiding, typosquatting, homograph attacks, scareware, tailgating, baiting, DNS spoofing, and many others. Your zero -rust training should make employees intimately familiar with all these attack types. Simple knowledge of the many dastardly methods for tricking humans into allowing unauthorized access helps them understand why zero trust is the answer.
In his excellent 2011 book, “Ghost in the Wires,” former superhacker Kevin Mitnick describes one of his most effective social engineering techniques: You see employees outside of a building about to go in, and you simply follow them through the door with the confidence of someone who belongs there. Employees universally read that confidence as all the verification they need to hold the door open for a stranger.
When Apple and Meta were contacted by fake law-enforcement officers, they should have taken down the details of who callers claimed to be, hung up the phone, and called the agency to verify.
When that UK CEO was contacted by someone claiming to be the CEO of the parent company, the policy should have been a return call and not a transfer of funds based on the initial call.
How to embrace zero trust for social engineering
The good news is that while many companies haven’t implemented zero trust, or even developed a zero-trust roadmap, embracing its use against social engineering can be implemented right away.
Find a way to authenticate each participant in audio or video meetings.
In other words, through changes in training, policy, and practice, any incoming communication that requests something — transfer funds, provide a password, change a password, click on an attachment, click on a link, let someone into the building — needs to be verified and authenticated — both the person and the avenue for the request.
Nearly all social engineering attacks involve the malicious actor gaining the trust of a person with access, and then abusing that access.
The challenge in using training and security culture to inspire a zero-trust mindset in all employees is that people themselves like to be trusted. People get offended when told: “Let me verify you first.”
That should be the biggest part of the training: Getting employees and business leaders to insist upon not being trusted. You can’t just rely on people not to trust — you have to get people to insist on not being trusted themselves.
If a senior leader sends an attachment to a subordinate, and the subordinate simply downloads and opens it without an additional step of verification (say, calling and asking), that should be seen by the leader as a serious breach of security practices.
Culturally, most companies are miles away from embracing this practice. And that’s what needs to be repeated a thousand times: Zero-trust authorization of everything is for the trustworthy and untrustworthy alike.
With so many workers now scattered between the office, at home, in other states or even in other nations, it’s time for a radical reset — a zero-trust revolution, if you will — in how we interact with each other in everyday business communication.