Blog

Password attacks on Microsoft highlight the need for Passwordless Zero Trust Systems

Nobelium, the hackers behind the SolarWinds hack, have struck again. The hacking group, linked to Russia’s Foreign Intelligence Service by U.S. authorities, attacked Microsoft customer support systems. They installed malicious information-stealing software into Microsoft’s systems and then used that stolen data to attack Microsoft customers. While Microsoft reports that most of the attacks on its customers were unsuccessful, at least three of its customers were compromised by the hack.
 

This attack is one of many supply chain attacks. In supply chain attacks, hackers attack technology companies to get access to their large customer bases.They may also attack smaller companies to use those smaller companies as backdoors into the networks of the larger, better protected companies that they provide products and services to.
 
These hacks are becoming more and more common, and they’re costly financially, reputationally, and in terms of intellectual property. Modern cybercriminals are resourceful, inventive, and highly skilled. They’re persistent and opportunistic, looking for victims anywhere in the world. Traditional perimeter defense-based systems have been proven, time and time again, to be inefficient against these bad actors. Building taller and taller walls to keep hackers out does nothing more than buy a little extra time. The next attack remains inevitable.
 

What are Zero Trust Systems?

Zero Trust systems are the only way to prevent future attacks. President Biden, the National Security Agency, and the Department of Defense have all made major public statements encouraging companies to move from traditional perimeter defense-based systems to Zero Trust systems. Policy is shifting for federal contractors such that Zero Trust is quickly becoming not just an option, but the regulation standard. Other industries must follow suit to protect their financial interests, intellectual property, and reputations.
 
Zero Trust flips legacy defense paradigms on their heads. Instead of focusing all efforts on keeping hackers out of networks, when hackers have proven that they’ll inevitably find a way in, Zero Trust protects data even in the case of a network breach.
 
Zero Trust systems provide security with exactly that, zero trust in any node. They eliminate any single points of failure. There are a few principles that together make up a secure zero trust system.

Don’t Rely on Servers

First, Zero Trust systems don’t trust servers. Instead, they use end-to-end encryption to protect data even in the case of a server breach.
 
End-to-end encryption means that data is encrypted at all times, not just in transit and at rest. The unencrypted data is only ever visible to the sender and recipient, never to the server. If a hacker successfully hacks into the server, they will see nothing but gibberish. The hack is thwarted and data exfiltration is prevented.

Don’t Trust Passwords

Second, Zero Trust systems don’t trust passwords. Instead, they grant account access using secret encryption keys.
 
Passwords are inherently vulnerable. People often reuse passwords or use common, guessable passwords. Even longer, ‘random’ passwords can be stolen, guessed, or cracked with the aid of modern computing programs. Forrester estimates that at least 80% of data breaches involve compromised privileged credentials, such as passwords.
 
Encryption keys are unguessably long, completely random strings of characters that cannot be cracked with modern computational abilities. There are as many randomly ordered characters in an encryption key as there are atoms in the galaxy. Even the strongest super computer cannot run sequences quickly enough to guess an encryption key.
 
In addition to providing unrivaled access security, encryption keys improve usability. Users no longer have any passwords to remember or keep track of. There’s no tradeoff to be made between security and convenience. The most secure solution is also the easiest one to use.

Don’t Trust Administrators

Third, Zero Trust systems don’t trust administrators. Instead, they have approval groups. Distributed trust through approval groups protects networks against the threat of a compromised or rogue IT administrator.
 
Humans are fallible. IT administrators are no exception. If there is a single all-powerful administrator with the ability to view all network data, grant account access, or carry out any number of other privileged activities, they become a natural target of bad actors. All it takes is one poor cyber hygiene decision, one moment of sloppiness, and your entire network can be compromised. Administrators can also go rogue, bringing down your network as an inside job.
 
Approval groups use the same principle of distributed trust that’s used to protect nuclear launch codes. Rather than a single all-powerful administrator, a group of users must all come together and agree in order for a privileged action to be taken. In order to compromise the network, an attacker would have to successfully compromise each and every member of the approval group at the exact same time.

Only Communicate with a Trusted Community

Fourth, Zero Trust systems don’t trust anonymous communicators. Instead, they limit communications to trusted communities of pre-approved communication partners. This protects your network against phishing and spoofing attacks.
 
With traditional email, anyone anywhere in the world can email you. Sophisticated social engineering can trick otherwise savvy internet users into accidentally trusting the wrong person. The results can be disastrous.
 
With trusted communities, only those individuals whom you pre-approve to communicate with you and your team can reach you. If you get an email from your accountant or financial advisor, you can be sure that the email really comes from that individual and not from a bad actor donning their identity. Phishing and spoofing attacks are impossible and you have the assurance of knowing exactly who you are communicating with at all times.

Maintain Oversight on Your Network

Finally, Zero Trust systems make it easy to maintain oversight over what is happening in your network. The SolarWinds attack was such a success because hackers were able to hide in the network and carry out malicious actions undetected. Tamper-proof event logging would have allowed the hackers to be detected much earlier, mitigating the damage they could do.
 
Tamper-proof event logging means that if an attacker manages to install malicious software in your system, you’ll be able to clearly see that they’ve done so. You can launch an incident response effort and boot them out before they’re able to do any real damage. You don’t have to worry about having sleepers in your system, biding their time as they wait for the perfect opportunity to wreak havoc. Instead, you know exactly what is going on in your system at all times.
 
Zero Trust systems are unquestionably needed to protect corporate data against the cunning of modern hackers. But even the best technology is only useful if it’s accessible. The SolarWinds attack, the more recent Kaseya attack, and countless other supply chain attacks demonstrate the necessity of Zero Trust security at all levels of organizations, from the largest corporations to the smallest contractors and everything in between. Small- to medium-sized businesses often lack the financial and personnel resources to build secure systems from the ground up. Luckily, that’s not necessary.
 
Secure, affordable Zero Trust systems that are easy to both deploy and use are already readily available.
 

PreVeil is a secure email and file-sharing system that knocks down the barriers to secure enterprise communications. Data is always end-to-end encrypted and cannot be viewed by anyone, including PreVeil, at any time. Approval groups replace vulnerable IT administrators. Secret, unguessable encryption keys replace stealable, guessable passwords. Trusted communities block the possibility of spoofing or phishing attacks. Tamper-proof event logs make maintaining oversight of the system simple.
 
PreVeil does for enterprise communications what WhatsApp and Signal do for personal communications. When Zero Trust security is as accessible as insecure Gmail, there’s no excuse not to defend your data. Learn more.