Contactless Technology Attacks Threaten Individuals, Businesses
… four days, Kilyusheva said. In one case, the hacker needed only 30 minutes, she said.
“In most cases, attack complexity was low, meaning that the attack was within the capabilities of a hacker with basic skills,” she said. “At 71% of companies, there was at least one easy penetration vector.”
Many attack vectors involve exploitation of known security flaws, Kilyusheva said. So it’s necessary to observe the general principles of information security to protect the network perimeter, she said.
“The management of the company should understand what incidents of information security are unacceptable for them and put emphasis in protection on key business risks,” she said. “In turn, in order to provide information security services most efficiently, the MSSP needs to have a good understanding of the infrastructure and business processes of the customer, and clearly understand which customer systems are critically important for the business.”
MSSPs should help the client build protection to ensure the continuity and security of the systems, Kilyusheva said.
“The MSSP should provide protection services based on modern technical means that allow identifying the latest techniques of intruders,” she said. “For example, to protect web applications, you should use a modern web application firewall (WAF) that allows you to identify exploitation of not only known vulnerabilities, but also zero-day vulnerabilities. And in the work of the security operations center (SOC), you cannot do without a whole set of reliable tools, such as security information and event management (SIEM), network traffic analysis (NTA) and sandboxes, which together allow you to get the most complete picture of what is happening in the infrastructure, both at the endpoints and in network traffic, and therefore notice and stop the attack in time.”
Organizations Not Prioritizing Zero Trust
A new report by Illumio shows most IT and security professionals still have a long way to go in implementing zero trust in their cybersecurity plans.
Users continue to move off-campus networks to a distributed work-from-home model, and face new and expanding threat vectors. Organizations must quickly adopt the zero-trust security mindset of “never trust, always verify.” This mitigates the spread of breaches by limiting access and preventing lateral movement, Illumio said.
About half of those surveyed find zero trust to be critical to their organizational security model. Only 2% of business leaders believe zero trust is nonessential for their enterprise security posture.
Only 19% who find zero trust to be very important to their security have fully or widely implemented their plan. More than one quarter of these have started their zero-trust planning or deployment process. In short, all but 9% of the organizations surveyed are in some way working toward achieving zero trust.
Matt Glenn is Illumio‘s vice president of product management.
“The biggest difficulty in adopting zero trust is time,” he said. “Zero trust is not a product, but a strategy – default deny – only allow what should be allowed. To achieve zero trust, leaders need to understand that it is a journey that will make their organizations safer and ultimately more efficient. However, it is not a light switch that is simply flicked on by buying one product. Yes, there are products that solve many of the pillars of zero trust, but ultimately adopting those solutions takes time. So setting internal expectations is important.”
The biggest barrier to adopting zero trust is cost, Glenn said.
“Nearly 30% of our survey respondents told us they won’t have enough budget to pursue additional technologies,” he said. “And 20% shared that their teams simply aren’t big enough to support another new technology.”
Illumio asked which technologies companies have implemented on their journey to achieve zero trust. Solutions with a lower barrier to entry, like multifactor authentication (MFA) and single sign-on (SSO), are more widely adopted.
Still, one in three (32%) of respondents have adopted campuswide segmentation. Another 30% have incorporated software-defined perimeter (SDP) technologies. And 26% are leveraging microsegmentation, a key zero-trust technology for preventing the lateral movement of attackers.
“There’s no single solution that can enable an organization to achieve zero trust in one fell swoop,” Glenn said. “MSSPs and other cybersecurity providers can start by educating organizations on the value of adopting zero trust and helping them map out a realistic plan to get there quickly. Partners that have intimate relationships with their customers can be part of the team that maps out a zero-trust strategy and recommend solutions that help fill in gaps.”
And if an organization doesn’t have a big enough team, that is an opportunity for an MSSP, he said. They can provide solutions to customers that ensure they don’t have to add additional staff.