Global Column | “Zero trust is essential for remote work”

Last summer, a hacker involved in a cybercriminal organization called ‘Recursion Team’ disguised as a police officer and requested customer data from Apple and Meta in the form of ’emergency data request’. Both companies forgot to comply with the request.

About three years ago, the CEO of a UK-based energy company received a phone call from the CEO of its German parent company to remit $250,000 to a Hungarian supplier, and he followed the instructions. It turned out that the parent company’s CEO was a cybercriminal who used deepfake audio technology to alter other people’s voices.

The two hackers successfully extorted data and money, respectively. They all committed crimes by abusing their trust. The victim trusted only the information the hacker said.

ⓒ Getty Images Bank

Definition of Zero Trust

Zero Trust is a security framework that does not rely on perimeter security. Perimeter security is a model that has been widely used for a long time and presupposes trusting everyone and everything inside an enterprise building or firewall. Security here focuses on preventing users from outside the perimeter from entering.

The term ‘zero trust’ was first coined in 1994 by Stephen Paul Marsh, who was doing his PhD at Stirling University in England. Also called ‘deboundary’, this concept has been embodied in guidelines such as Forrester eXtended, Gartner’s CARTA, and NIST 800-207.

The effectiveness of perimeter security has declined for several reasons, but among them, the proliferation of remote work is the most representative. Other reasons include mobile computing and cloud computing, the growing number of sophisticated cyberattacks, and threats from within.

In other words, network boundaries no longer exist. Even if a boundary exists, it can be violated. Hackers move more easily once they get inside the perimeter.

The goal of Zero Trust is to prevent cyberattacks by ensuring that each user, device, and application individually passes authentication tests whenever they access a network component or enterprise resource.

Although Zero Trust includes technology, Zero Trust itself is a framework, not a technology, and in some ways can be a security awareness for an enterprise. It is often misconceived that zero trust is a perception that only network architects and security professionals need. All employees should be aware of zero trust.

Why Zero Trust is the Only Way to Stop Social Engineering

Social engineering attacks are non-technical hacking that exploits human psychology. One basic approach to applying zero trust to social engineering attacks has been around for a long time and is familiar to users. For example, let’s say you receive an email alerting you that there is a problem with your bank account. The email, with the sender’s bank name, states that clicking the link and entering a user name and password solves the problem. The correct way to deal with an uncertain situation is to call the bank directly to confirm.

The best countermeasure against any kind of social engineering attack is to find a method yourself, rather than using the suggested method. The identity of the person contacting you should not be identified with that person, and should always be verified independently.

In the past, it was easy to steal email. Sooner or later, audio and video will be as easily forged/falsified as e-mail.
In addition to email forgery, phishing and vishing, smishing, spear phishing, snowshoeing, hailstorming, clone phishing, whaling, and tapnabbing (tabnabbing), reverse tabnabbing, in-session phishing, website forgery, link manipulation and hiding, typosquatting, homozygous attack, scareware, tailgating ( There are numerous attack methods such as tailgating, baiting, and DNS spoofing. Businesses should train on Zero Trust to ensure that their employees are familiar with all of these types of attacks. Knowing the various attack tactics that trick them into allowing unauthorized access will help employees understand why Zero Trust is the answer.

Kevin Mitnick, a famous hacker, introduced a social engineering technique he experienced in his book ‘Ghost in the Wires’ published in 2011. It is similar to the method of passing through the entrance without hesitation so that when you find an employee trying to enter from outside the corporate building, you stick to the employee’s back to make it appear as if you are an employee of the company. The receptionist trusts the stranger just by seeing that confident look, and eventually allows them to enter.

When Apple and Meta received a call from the fake police, they had to first ask for the identity of the caller, record the details, then hang up and call the police directly to confirm.

The same is true when a UK CEO gets a call from someone claiming to be the CEO of a parent company in Germany. If there had been a policy to not send money immediately after hearing what was said over the phone, and to go through a verification process, such an accident would not have occurred.

How to apply zero trust to social engineering

Many companies have yet to adopt zero trust or even have a zero trust roadmap. The good news, though, is that Zero Trust against social engineering attacks can be implemented right away.

Look for ways to authenticate individual participants, even in audio or video conferencing. In other words, companies must change their education, policies, and practices to check and authenticate all incoming communications, such as remittance, entering and changing passwords, clicking attachments, and requesting permission to enter a building for a specific person, both in terms of the sender and the request path.

Social engineering attacks are most often caused by malicious actors who gain the trust of users who have access and then abuse their access.

There is one challenge in using training and a security culture to instill a zero trust awareness in employees. That is, they basically want to be trusted. When asked for identification, employees often feel insulted.

Companies should focus on this and conduct training. Employees and business leaders need to realize that they can’t just trust other users, they can’t trust themselves either.

If a subordinate directly downloads and views an attachment received from his/her supervisor without going through additional verification steps, the supervisor should be able to recognize this as a serious security policy violation.

From a cultural point of view, in most cases this is not the case. The key here is that zero trust should apply equally to both trusted and untrusted parties.

In recent years, many employees are scattered in offices and homes, in different provinces and countries. Companies should adopt zero trust to fundamentally improve the way employees communicate.
[email protected]


Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!