Zero Trust - Weekly vCISO Security Notes

Zero Trust – Week 43 – SMB vCISO Security Notes

Russell Harris

From the Cloudz Biz security and productivity desk, the vCISO Security Notes for week 43 of 2020, we unpack Zero Trust security model, mention Chrome Zero Day, and raise awareness for Address Bar Spoofing on Mobile.

These weekly updates provide small business owners a high level update on cybersecurity issues and productivity opportunities in the market place today.  We hope this brings more awareness to the risks and threats that potentially could effect your business.  By being more aware, your company will increase security, enhance productivity and boost the bottom-line.

vCISO Security Notes

This week we unpack Zero Trust Security Model for small businesses.  Also, look at two vulnerabilities that you need to be aware of this week.

Zero Trust Security Model

Today and especially this year in 2020, people work from home or the office or from their car.  I’ve seen people with a hot spot working from their car while waiting for their son or daughter practice basketball or soccer outside.  In a simplistic definition, Zero Trust Security Model shifts from a static network focused on firewalls for protection to an environment where the end user can work anywhere with any device.

The National Institute of Standards and Technology (NIST) published their Special Publication (SP) 800-27.  More information provided here at this link.  However, I really like the thought process of Microsoft’s three guiding principals:

  • Verify Explicitly – Authenticate and authorize based on available data points
  • Use Least Privileged Access – Limit a user to Just-In-Time and Just-Enough-Access, risk-based adaptive policies and data protection
  • Assume Breach – Minimize blast radius and segment access, verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses

Basically a Zero Trust approach extends throughout your digital estate with an integrated philosophy and end-to-end strategy.  Different organizational requirements exist for each business so no one solution matches every small business.  Take these seven key steps to mature your cybersecurity approach:

  • Secure Identity – When an identity attempts to access a resource, verify that identity with strong authentication and ensure access is compliant.
  • Secure Endpoints – Once an identity acquires access, now data will be accessed from that endpoint.
  • Secure Applications – Apply controls to ensure appropriate in-app permissions and validate secure configuration options.
  • Secure Data – Classify, label and encrypt data, and restrict access based on those attributes.
  • Secure Infrastructure – Whether on-prem or cloud use telemetry to detect attacks and anomalies.
  • Secure Networks – Network controls enhance visibility and help prevent attackers from moving laterally across the network.
  • Visibility, Automation and Orchestration – The above steps increase visibility and provide clearer data to generate relevant alerts.

Two options in learning more, first, stay tuned into these blog posts and make sure you are following Cloudz Biz on your social media channel.  Second option is to check out this link from Microsoft.

Chrome Zero Day

There seems to be quite a few different vulnerabilities with the Chrome browser recently including CVE-2020-15999.  Make sure your browser is getting updated on a consistent basis.  In the upper right hand corner of your browser, you will find three vertical dots which is the “More” menu.  If your browser needs an update you will see an option to “Update Google Chrome”.  Otherwise no button will exist.

The latest stable channel version for desktop is 86.0.4240.111.  You can find out what your version is from the “More” menu and select “Help” and “About Google Chrome”.

Browser – Address Bar Spoofing

We talked about ransomware on mobile in week 41.  Now in week 43, browsers on mobile seem to be an issue.  Rafay Baloch reported his findings here.  Both mobile platforms Android and iOS contain browsers with the ability to allow address bar spoofing.

The bottom-line be careful what applications you run on your mobile platform.  This platform will not be without vulnerabilities so keep it updated and apps current as well.

Cloudz Biz Final Notes

That is all the vCISO security notes this week. Take a look at your small business cybersecurity strategy.  Maybe the Zero Trust Security Model is the best place to start if you are doing nothing today.  Cloudz Biz also promotes and implements a cybersecurity strategy around the NIST Cybersecurity Framework.  We’ll take a look at this more in future blogs and look to see how the two work together.

If you any questions or comments please leave them below or send us a message on one of our social media channels.

If you are looking for Vulnerability Assessment to understand what risks reside in your environment.  Review our Assessment offering below.

Book a Vulnerability Assessment Now!