When Danny Ocean decides to rob three casinos in one night in Ocean’s Eleven, Rusty Ryan warns him that the plan would require at least a dozen team members doing a combination of scams: “I’d say you’re looking at a Boeski, a Jim Brown, a Miss Daisy, two Jethros and a Leon Spinks, not to mention the greatest Ella Fitzgerald of all time.
But all fraudulent slang terms aside, the security bypass during their successful heist of the Bellagio Vault came down to identity and perimeter defenses, the main network security vulnerabilities – and exactly the weaknesses that the zero-trust methodology reinforces for organizations. Stick with us, the analogy is getting better.
Experienced thieves like Ocean and Ryan did not choose identity and perimeter defenses as weak points by chance. In 2020, 61% of breaches involved credentials, by far the most common point of attack according to the Verizon Data Breach Investigations report. This is because with perimeter-based network defenses, once a “trusted” user has their identity confirmed with a password, they are implicitly trusted inside the network. This gives malicious actors all the leeway they need to wreak havoc.
This is why the Zero Trust methodology does not implicitly trust users inside a network and expects that perimeter defenses can and will be breached. Instead, it requires continuous monitoring and verification of identity when trying to access new resources on the network. Casino owner Terry Benedict’s security certainly has serious shortcomings in this regard, despite Ocean’s claim that the casino “houses a security system that rivals most nuclear silos.”
An Identity Phishing Expedition
To pull off the hug, the team must first enter the casino cages, the area reserved for employees in the back room. Twice they use stolen identities to enter this area, once when Livingston uses a stolen ID and again when Linus assumes the identity of a Nevada Gaming Commission official, which in the network world we would call “usurpation”.
Consider this a phishing attempt, someone using spoofing to obtain credentials. According to the Verizon report, phishing has been one of the top breach actions over the past two years, used in more than one in three breaches in 2020 and “continues to go hand in hand with the use of information credentials stolen in violations”. .”
Simple human error can also lead to compromised credentials, such as co-workers emailing each other passwords for resources or old accounts not being properly logged out. Or in Benedict’s case, writing down the password and having it stolen directly. According to a Centrify report, three out of four IT decision makers whose organization experienced breaches said it was abuse of privileged access credentials, and 65% said they shared root or privileged access to systems and data at least quite often.
The Zero Trust methodology based on strong identity access management (IAM) eliminates this problem through the use of single sign-on (SSO). Once identities are established for each user on a network in a unified directory, they use SSO to gain secure access to the tools, applications, and resources they need. Fewer passwords means fewer potential entry points for attackers.
Once inside the back rooms of the casino, i.e. inside the network, Linus is able to steal the six-digit code that changes every 12 hours for the doors inside of the network. With that password in hand and no additional identity verification needed at those gates, he can roam the network freely.
Brute force attacks
It’s not until Linus arrives at the elevator leading to the vault that he finally encounters something resembling the Zero Trust Security Principles. The elevator will not move without authorized fingerprint identification and voice confirmation from the main security desk and the safe below.
It is multi-factor authentication (MFA) based on context and risk-based policies, a key element of the Zero Trust methodology. Since the vault is considered sensitive, accessing it requires additional identity verification. On a network, attempts to access sensitive data or resources may be made to require this additional verification depending on the level of risk ($150 million in a vault is risky enough) and the context of the attempt, such as the device trying to access it, the geolocation of the device, the current time, etc.
Faced with this heightened security, the Ocean’s Eleven team must instead use the equivalent of a network brute force attack to bypass perimeter defenses. They must turn off the power to disable the motion sensors in the elevator shaft, then turn off the gas for the guards and the explosives to open the safe.
In the networking world, brute force attacks rely either on weak credentials created by users, repeatedly guessing passwords until the correct one is found, or on methods such as denial of service (DoS) attacks that flood or block services. Along with phishing, these types of attacks remain among the most common forms of attacks, according to the Verizon report.
The changing world of the network
The security vulnerabilities we see in Ocean’s Eleven theft are identity and perimeter defenses. In the past, passwords and perimeter defenses were a passable solution for a work world where employees logged into a workstation at their desk and had all of their software installed locally and network resources accessible.
But today, people are accessing networks from a wide variety of endpoints like mobile devices, while working remotely, and organizations are using cloud-based apps, each with its own password. , instead of locally installed software. Network users can also include people outside organizations, such as contractors, external vendors, and customers. Perimeter-based defenses simply don’t meet today’s needs.
This is why the Zero Trust methodology is now the standard in security. It assumes that perimeters can and will be breached. It relies on multi-factor authentication to verify that users are who they say they are and uses policies to trigger MFA authentication whenever an organization deems it necessary. You could be messing with an outdated security system. But in today’s world, that’s not the safest bet.