Although most IT and security professionals think of zero trust as an important part of their cybersecurity approach, many still have a long way to go on their quest to deploying it, according to Illumio.
Especially as users continue to move off campus networks to a distributed work-from-home model and face new and expanding threat vectors, organizations must quickly adopt the zero trust security mindset of “never trust, always verify” to mitigate the spread of breaches by limiting access and preventing lateral movement.
Notably, 49 percent of the participants surveyed find zero trust to be critical to their organizational security model. Only 2 percent of business leaders believe zero trust is nonessential for their enterprise security posture.
“Zero trust is mission critical to any cybersecurity strategy. Adversaries don’t stop at the point of breach – they move through environments to reach their intended target or access your crown jewels,” said Matthew Glenn, senior vice president of product management at Illumio.
“In today’s world, stopping the lateral movement of attackers has become fundamental to a defender’s job. What’s more, as employees continue to work remotely at scale, it is essential to extend zero trust to the endpoint to further reduce the attack surface and secure the enterprise.”
Zero trust adoption is just beginning
While organizations clearly value zero trust as a necessary part of their cybersecurity strategy, widespread adoption is lacking. Of the respondents who find zero trust to be extremely or very important to their security posture, only 19 percent have fully implemented or widely implemented their zero trust plan.
Over a quarter of these leaders have begun their zero trust planning or deployment process. In short, all but 9 percent of the organizations surveyed are in some way working toward achieving zero trust.
Technologies bolstering the zero trust journey
No single product or solution enables organizations to achieve zero trust alone, so Illumio asked which technologies companies have implemented on their journey to achieve zero trust. Not surprisingly, solutions with a lower barrier to entry, like multi-factor authentication (MFA) and single sign-on (SSO), are more widely adopted.
Still, 32 percent of respondents have adopted campus-wide segmentation, another 30 percent have incorporated software-defined perimeter (SDP) technologies, and 26 percent are leveraging micro-segmentation, a key zero trust technology for preventing the lateral movement of attackers.
In the intermediate term, beyond six months, most respondents plan to implement micro-segmentation and SDP, which will pave the way for zero trust adoption at scale. In fact, 51 percent of respondents plan to deploy micro-segmentation as one of their primary zero trust controls, given its effectiveness and importance in preventing high-profile breaches by stopping lateral movement.
Lastly, over the next six months, 23 percent of organizations plan to implement MFA and 18 percent plan to deploy SSO.
Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.
The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.
Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020
About the vulnerability (CVE-2020-2021)
CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.
Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.
Also, the vulnerability is exploitable only if:
- The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
- The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile
“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.
While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.
“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.
“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.
Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:
The PAN-OS 9.1 user guide, which was apparently last updated 4 days ago (June 25), instructs admins to do just that when setting up DUO integration.
“Disable Validate Identity Provider Certificate, then click OK.” pic.twitter.com/KLd78oImzs
— Will Dormann (@wdormann) June 29, 2020
Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.
But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.
What to do?
As mentioned before, implementing the security updates is the best solution.
Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.
If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.
Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)
Over the last few decades, as the information era has matured, it has shaped the world of cryptography and made it a varied landscape. Amongst the myriad of encoding methods and cryptosystems currently available for ensuring secure data transfers and user identification, some have become quite popular because of their safety or practicality.
For example, if you have ever been given the option to log onto a website using your Facebook or Gmail ID and password, you have encountered a single sign-on (SSO) system at work. The same goes for most smartphones, where signing in with a single username and password combination allows access to many different services and applications.
SSO schemes give users the option to access multiple systems by signing in to just one specific system. This specific system is called the “identity provider” and is regarded as a trusted entity that can verify and store the identity of the user. When the user attempts to access a service via the SSO, the “service provider” asks this identity provider to authenticate the user.
SSO advantages and privacy concerns
The advantages of SSO systems are many. For one, users need not remember several username and password combinations for each website or application. This translates into fewer people forgetting their passwords and, in turn, fewer telephone calls to IT support centers.
Moreover, SSO reduces the hassle of logging in, which can, for example, encourage employees to use their company’s security-oriented tools for tasks such as secure file transfer.
But with these advantages come some grave concerns. SSO systems are often run by Big Tech companies, who have, in the past, been reported to gather people’s personal information from apps and websites (service providers) without their consent, for targeted advertising and other marketing purposes.
Some people are also concerned that their ID and password could be stored locally by third parties when they provide them to the SSO mechanism.
A fast, privacy-preserving algorithm
In an effort to address these problems, Associate Professor Satoshi Iriyama from Tokyo University of Science and his colleague Dr Maki Kihara have recently developed a new SSO algorithm that on principle prevents such holistic information exchange. In their paper, they describe the new algorithm in great detail after going over their motivations for developing it.
Dr Iriyama states: “We aimed to develop an SSO algorithm that does not disclose the user’s identity and sensitive personal information to the service provider. In this way, our SSO algorithm uses personal information only for authentication of the user, as originally intended when SSO systems were introduced.”
Because of the way this SSO algorithm is designed, it is impossible in essence for user information to be disclosed without authorization. This is achieved, as explained by Dr Iriyama, by applying the principle of “handling information while it is still encrypted.”
In their SSO algorithm, all parties exchange encrypted messages but never exchange decryption keys, and no one is ever in possession of all the pieces of the puzzle because no one has the keys to all the information.
While the service provider (not the identity provider) gets to know whether a user was successfully authenticated, they do not get access to the user’s identity and any of their sensitive personal information. This in turn breaks the link that allows identity providers to draw specific user information from service providers.
The proposed scheme offers many other advantages. In terms of security, it is impervious by design to all typical forms of attack by which information or passwords are stolen. For instance, as Dr Iriyama explains, “Our algorithm can be used not only with an ID and a password, but also with any other type of identity information, such as biometrics, credit card data, and unique numbers known by the user.”
This also means that users can only provide identity information that they wish to disclose, reducing the risk of Big Tech companies or other third parties siphoning off personal information. In addition, the algorithm runs remarkably fast, an essential quality to ensure that the computational burden does not hinder its implementation.
Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account.
At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites.
The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated email.
The sending of those notifications will be triggered every time a user (or attacker):
- Logs into a third-party app with Facebook Login and grants the app access to their information
- Re-uses Facebook Login to log into a third-party app after an app’s access to information has expired.
As you can see in the image above, each notification will include a list of the information the app/website pulls from the Facebook account to personalize the user’s experience, as well as offer a direct link to Facebook Settings > Apps and Websites, so users can limit the information shared with the app/service or remove the app altogether.
“The design and content of the Login Notifications remind users that they have full control over the information they share with 3rd party apps, with a clear path to edit those settings,” Puxuan Qi, a software engineer at Facebook, explained.
“We will continue to test additional user control features in early 2020, including bringing permissions to the forefront of the user experience when logging into a 3rd party app with Facebook Login.”
This new feature is part of Facebook’s broader attempt to show they care about user privacy and minimize the fallout of incidents such as the massive 2018 Facebook data breach (when attackers managed to steal access tokens of at least 50 million users, potentially allowing them to take over victims’ Facebook accounts and log into accounts the victims opened on third-party websites and apps by using Facebook Login) and the Cambridge Analytica scandal (CA used information collected through third-party apps without users agreeing to their data being used to fuel election campaigns or even knowing about it).