Cybersecurity  ·  Podcast

The new episode of the podcast ‘Cuidado con las macros ocultas’ by Cuatroochenta focuses on the zero-trust strategy and continuous verification as the best ways to address the growing cybersecurity risk, in which ransomware joins social engineering, intermediaries, or cryptocurrency frauds.

The consolidation of remote working and the rise of cloud services, driven by the pandemic, have blurred the security perimeter of organizations. This new landscape has given way to multi-cloud environments, which combine different providers, and hybrid clouds that combine public and private cloud. It is a scenario that is much more complex to manage and protect with traditional tools and opens more doors to cybercriminals. In the face of the growing and unstoppable cybersecurity risk, the Zero Trust strategy, in which zero trust is imposed, is spreading as one of the best defenses. It involves requiring continuous monitoring of users, transactions and devices, both internal and external to the corporate network.

Zero Trust is a strategic approach to cybersecurity that protects a perimeter-free organization by continuously monitoring and verifying every authentication, transaction and information access.

The new episode of Cuatroochenta's podcast 'Zero Trust. 100% verified security' focuses on analyzing the benefits and limitations of adopting a zero-trust security architecture. How are professional environments secured? Is it difficult to adopt and exploit a continuous user, access and network control strategy? What are the implications for an organization? These are some of the questions we address in Cuidado con las macros ocultas with cybersecurity expert, professional training professor and CEO of AllPentesting, Eduardo Sánchez Toril, the CISO of the Universitat Oberta de Catalunya, Clara Beleña, and the Country Manager of Sofistic in Spain, Juan Carlos García.

Free report (content in Spanish)

Cybersecurity Recommendations 2023

2. Principle of least privilege

The principle of least privilege is a key principle in protecting data and managing information for companies and, although it is not easy, doing so with a Zero Trust perspective increases security guarantees. The key is to "flatten the curve between the permissions granted and those used by the user", as Juan David Díaz, solutions architect at Sofistic Colombia, pointed out during the BSides Panama 2023 conference. In practice, it is a matter of limiting access and privileges to the maximum, so that the users of an organization can only access the information that is essential for the development of their activity.

«It is not necessary for the entire organization to have access to all resources. The ideal is to provide access according to needs so that employees have access to the information and systems required to carry out their job responsibilities and, in the case of having to access critical information or systems, it should be on demand and with a temporary basis.»

Juan Carlos García, Sofistic Country Manager for Spain

Especially if they are used to sharing a single server and having access to everything. But it must be considered that the user is the weakest link and that, with these more flexible models, the risk of data leakage increases. In the end, not only does it become a security incident, but it can also have an economic impact on the company, in addition to affecting brand reputation, loss of customers and legal liability, as Sofistic's Country Manager noted at the 9th MESIASCibereputation Forum Conference, how to protect the brand against cyber-attacks.

4. Network segmentation

Assuming that a network is not unbreakable and that the attack surface is much larger than the defensive one, organizations must minimize the radius of exposure so that, in the event of an intrusion, propagation is prevented and lateral movements of threats are reduced. This involves segmenting the network so that each module has its own security policies and is easier to block in the event of unauthorized access. In addition, this also limits the damage that can be caused by an attacker who gains access to one part of the network, as they will be isolated from other parts.

This perimeter protection is precisely what enabled the Universitat Oberta de Catalunya (UOC), with more than 87,000 online students, to stop the spread of the ransomware attack it suffered in January 2022, right in the middle of the Christmas vacations, The incident, which affected 5 of the organization's 600 servers, blocked its virtual campus for 24 hours. UOC's CISO, Clara Beleña, explains in the podcast how their perimeter protection strategy helped them to contain the attack and minimize the impact on their systems and students.

«In addition to 24x7 monitoring, it is key to have aparameterize well-parameterized network and to segment groups of servers to minimize the risk of lateral movements. This prevents attackers from jumping from one server to another and distributing malware throughout the network»

Clara Beleña, CISO of the Universitat Oberta de Catalunya

Listen to ‘Cuidado con las macros ocultas’ on your favorite platform

«Zero Trust' is an ideal model, but the balance between security and usability must be measured.»

Eduardo Sánchez Toril, cybersecurity expert, VET teacher and CEO of AllPentesting

Limitations of Zero Trust

While many organizations aspire to adopt a zero-trust security model, implementing all the aforementioned measures can be a significant challenge for many companies. There are difficulties in applying controls, making these restrictions compatible with collaborative work, having the necessary architecture and navigation control, or having complete visibility of the infrastructure. The UOC's own CISO recognizes that it is a highly effective security model, but difficult to apply in organizations with a large volume of users and very diverse profiles, such as universities.

Eduardo Sánchez Toril shares a similar opinion, stating the Zero Trust security model is being adopted primarily by companies in the technology sector, critical infrastructures or organizations with a large economic volume. Therefore, according to the cybersecurity expert, it is important to strike a balance between security and usability. He provides a practical example to illustrate this: A financial institution may require the mandatory use of a digital certificate for its transactions. Which is an excellent security measure, but it must also consider that such a requirement can be a complication and a barrier to interaction with some companies, which may not have the same level of maturity.

Despite its complexity, the 'Zero Trust' model is the most effective security method to protect organizations with hybrid and multi-cloud environments, in the face of the growing risk of cyber threats.

Listen to the episode