As a chief security officer charged with overseeing the physical security of an enterprise, who do you trust? Among those who are responsible for video surveillance, access control and the network these systems sit on, a trend is emerging. Increasingly, chief security officers trust no one.
From a cybersecurity perspective, this is a sound approach. Trust No One. The very best IT departments prepare for a situation where any threat actor—be it a nation-state, black hat hacker, or one of your employees—might compromise your network. It’s worth noting that internal threats are a very real concern for enterprises. According to IBM, “Insider threats account for 60 percent of cyber-attacks, and they are incredibly difficult to detect.”
How might an employee or an IoT computer—such as a video surveillance camera—be a conduit for a cybersecurity breach? Consider the enterprise environment. Is the network properly segmented? Can general employees get to servers used by HR or Accounting? Are your video surveillance cameras or other IoT devices on the same network as critical infrastructure?
If you answered “yes” to any of the above, you need to take a critical look at your network and digital assets. Network segmentation is the first and most critical line of defense. Even external threat actors will likely launch an attack from within your network. Rather than trying to break into firewalls, the external attacker will target your employees in a phishing attack to gain remote access to workstations on your network. Once inside, attackers pivot and explore the network searching for targets to attack. As you can see, most cyberattacks are launched from within the target’s network.
So how do you defend against this? There is an architecture, called the Zero Trust Network, that treats the internal network of an organization as a hostile environment by trusting no one. Created in 2010 by John Kindervag, the former principal analyst at Forrester Research, the Zero Trust Network is based on the concept that all company internal networks are not trustworthy and should be treated as untrusted. Access is only given to devices that need to communicate with each other.
In this CSOOnline story published in 2017, Chase Cunningham, a principal analyst at Forrester Research, says if he “gets 20 calls a day, 17 are about Zero Trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested.” Cunningham predicted that by 2020, “Zero Trust will be cited as one of the big-time frameworks in cybersecurity. Period.”
The article summarizes the Zero Trust approach this way: “It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.”
It takes a considerable amount of time and money to deploy a Zero Trust Network, but in the meantime, there are steps you can take to better secure your network.
- Network Segmentation: Group your systems into functional networks. Put all HR, Accounting and Guest devices on separate networks. Segmenting reduces the risk of an internal attack. If a device is compromised, it will only have access to devices on its own network, thereby isolating that threat.
- Make sure all employees know how to identify and report phishing attacks.
- See Something, Say Something. Educate employees to report anomalies, both physically and digitally.
As the threat landscape continues to morph, it’s reassuring to see CSOs adopting a Trust No One approach to cyberdefense. Click here to learn more about this architecture (https://cloud.google.com/beyondcorp/).
About the Author: Chuck Davis, MSIA, CISSP-ISSAP is Senior Director of Global Cybersecurity for video surveillance provider Hikvision. Davis is a former Executive Security Architect for IBM, where he managed the global malware defense and vulnerability management programs. He also served as Manager of Global Cyber Defense for the Hershey Company. Davis has seven US patents, three patents-pending, and 10 invention disclosures. He is also an adjunct professor at the University of Denver, where he teaches master's level courses in ethical hacking and computer forensics.
