In college, I worked at a bank when I came home for holidays or the summer. I was a rotating teller, so I was always at different branches.
Once, an elderly gentleman came to my window to cash a check. I greeted him nicely and asked for his identification to cash the large check drawn on his account. He began to yell and throw a fit, saying he had been banking there for 30 years.
I calmly explained that I was new and did not know him and was simply trying to protect him by ensuring I wasn’t giving his money to someone else. One of the other tellers vouched for him, having known him as a customer for many years. I wanted to ask him if he knew me and then explain that if he didn’t know me, how should I know him? But alas, common sense is not so common sometimes.
Implementing a Zero Trust model in your organization’s network involves a similar approach.
Users should be required to prove who they are before they are allowed onto the system. This can be done via multi-factor authentication, ensuring passwords are changed regularly. Verifying user identity must be mandatory wherever the user is accessing the network.
Additionally, implement a policy of ‘least privilege’ or role-based access control. Only allow access to that which a user needs to perform their job. In the intel community, this is referred to as “need-to-know.”
Another method for zero trust is network segmentation. This involves implementing subnetworks into your infrastructure. This assures that only those who need access to certain information are granted access AND deters lateral movement across the network for any nefarious actors (i.e., bad guys).
On a side note, whenever you are asked for your identification when using a credit card or for any such transaction, thank the person for protecting you.
CYBER NEWS
Fremont County, Ohio, Extends Disaster After Cyber Attack
Fremont County, Ohio, Extends Disaster After Cyber Attack
With no email or Internet services within the county government after a cyber attack, there were no laptops, no impromptu use of the GIS website when needed, and no access to information for the clerk’s monthly report.
www.govtech.com • Share
CFO Spoofed in Convincing Business Email Compromise Scam
CFO Spoofed in Convincing Business Email Compromise Scam
Here’s an example of a BEC attack that almost worked.
www.avanan.com • Share
This company paid a ransom demand. Hackers leaked its data anyway
This company paid a ransom demand. Hackers leaked its data anyway
It’s always recommended that ransomware victims don’t give in to ransom demands – and this real-life case demonstrates why.
www.zdnet.com • Share
PayPal Phishing Scam Uses Invoices Sent Via PayPal
PayPal Phishing Scam Uses Invoices Sent Via PayPal
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives – which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction…
krebsonsecurity.com • Share
TIP OF THE WEEK
Be Our Guest: When I visit a client site, I check on my phone to see if I can log in to their main network or if there is a separate guest network to log into.
There should be at least two networks at home or in the office. One for business and one for guests. Additionally, both should be password protected (with different passwords from the router and each other).
You wouldn’t leave your front door unlocked for anyone to come in. Don’t leave your network open, either.
CYBER HUMOR
VOCABULARY WORD
Zero Trust: Restricting access to your network by using authorization and verification tools and creating segmentation to only allow users access to the information they need for their role.
TWEET OF THE WEEK
Commonwealth Sentinel
Commonwealth Sentinel
@CwealthSentinel
The Week in Ransomware – August 19th 2022 – Evolving extortion tactics https://t.co/WV6NTx6LRL https://t.co/mKmXZ5BVZo
6:33 PM – 22 Aug 2022