During a preview of this year’s Republic of South Africa conference, a team from Orange Cyberdefense demonstrated a range of pretty scary scenarios of what can happen when malicious actors take control of a user’s home router.
These range from duping users into downloading payloads dressed up as fake VPN software updates, capturing user’s credentials or redirecting traffic that should be going over the VPN to the threat actor.
Typically, home routers are outside of the enterprise security control and often not very well protected. The majority of people trust their ISP to set up their home access points for them, frequently resulting in default settings such as admin/admin credentials. Home routers are frequently attacked by criminal and state actors alike.
Despite the easing of lockdown restrictions, many people are still working from home and will do so for the foreseeable future – connecting to the internet and their corporate networks via their private home routers and Wi-Fi access points.
The increasing complexity of delivering services to this highly distributed user base, many of which connect via untrusted devices, coupled with an evolving threat landscape, is highlighting the importance of Zero Trust security.
Zero Trust is a security model based on a set of design principles that assumes that a breach is inevitable or has likely already occurred. Zero Trust architectures limit access to only what is needed, repeatedly check whether users, devices, services or network components should be trusted and monitor for malicious or abnormal activity.
It is more than just a technology architecture though; it is a long-term philosophy and requires a mindset change amongst everyone involved. To succeed, it is essential to create a security culture that embraces Zero Trust.
This means broadening the conversation and explaining Zero Trust principles to business leaders, IT administrators and general users.
Trust is an important component of doing business, so the context of Zero Trust has to be explained in a positive way. It is not about not trusting individuals, but rather about reducing the potential likelihood and limiting the impact of a breach as well as damage control, if, or when devices, networks or identities are compromised.
To effectively mature your security culture, you have to positively influence it. People generally want to do the right thing, but instilling fear and uncertainty does not empower them. You have to inspire trust in order to succeed with Zero Trust.
This means creating a security culture program that not only raises awareness for the importance of security and Zero Trust concepts, but enables people to take responsibility for their participation in the security program. For example, educate your employees on how to spot, report and get help when they see suspicious activity, to be extra vigilant of social engineering attacks while working from home, and the necessity of reducing their privileges as part of the Zero Trust roll out.
- A Tell opinion / Anna Collard