crowmoor.se

What is ZeroTrust? The name has its root in Jericho 2.0 (see the books downloadable from this blog here) and can be roughly translated to: ‘You can never know who roams your network so verify all access all the time. Never trust what you can´t verify.’ The implications of this affects the way we design our solutions, networks, access controls, yes, all our security setup.

If we go back to how security normally was addressed, we had an authentication system managing the ‘logons’, we probably had a antimalware of some kind but the most intricate security functions was on firewalls, IDS/IDP-systems, MAC-protection etc. The whole goal was to put as many barriers in front of the network as possible making it impossible to penetrate. This made sense during the time because malware used network vulnerabilities to spread and as updates to operating systems and applications was seldom made, at least not with the speed one would have hoped for, relying on network security was the thing to do.

But changes happened. 4 of May 2000 we all felt loved when ILOVEYOU started spreading around the world. I remember this as I was at a customer site when it struck them and the network security admin came running into the server room and pulled the plug on the Exchange server. This was not the first attack of its kind but it showed the vulnerabilities of relying on network security. This worm used user interactions to trigger, it was a simple Visual Basic script and it utilised a standard application to spread itself. It bypassed all the standard network security functions hence the attack became widespread and created a need for network filtering on a protocol level. So all traffic was to be inspected before allowed through. This of course raised challenges and created chokepoints not to mention the cost and the need for updates. Outsourcing the service to an external provider that could apply faster updates and use bigger hardware quickly became the solution.

Moving forward the hackers saw that tricking the user was the easiest way to circumvent all network protection and the birth of phishing was a fact. With phishing came the possibilities to trick the user to give out the credentials. Soon came the possibilities to use remote control of the computers and finally the weaponizing of hash harvesting. Network security has died.