Zero Trust

Evolve your traditional systems to new ways before your ransomware adversaries do.

                       

Overview

• A new paradigm needed
• Resources
• History
• More on DevOps
• More on Security

“Zero-Trust” is not a product or logo name.

Zero Trust is a set of security principles that treat every component and user of a system as continuouly exposed to and potentially compromised by a malicious adversary. – VIDEO: “Zero Trust Explained in 4 mins” by the MIT Lincoln Laboratory (the largest US federally funded research and development center), which has identified gaps in ZTA guidance

The “Data Centric” focus was coined in 2010 by John Kindervag when he was at Forrester.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

https://www.youtube.com/watch?v=5sFOdpMLXQg Nov 29, 2018 https://www.youtube.com/watch?v=5sFOdpMLXQg&list=RDCMUC2uPNhGken-ogEpJDi4ly6w&start_radio=1&rv=5sFOdpMLXQg&t=759

https://www.youtube.com/watch?v=EF_0dr8WkX8&list=RDCMUC2uPNhGken-ogEpJDi4ly6w&index=2

https://github.com/HASecuritySolutions/presentations Justin Henderson (@SecurityMapper, GSE #108)

PDF SANS 6-day $6,000 hands-on course “Defensible Security architecture and Engineering” for GIAC (Global Information Assurance Certification) “The perimeter is dead” is a favorite saying in this age of mobile, cloud, and the Internet of Things, and we are indeed living in new a world of “de-perimeterization” where the old boundaries of “inside” and “outside” or “trusted” and “untrusted” no longer apply. This changing landscape requires a change in mindset, as well as a repurposing of many devices. Where does it leave our classic perimeter devices such as firewalls? What are the ramifications of the “encrypt everything” mindset for devices such as Network Intrusion Detection Systems?

In this course, students will learn the fundamentals of up-to-date defensible security architecture. There will be a heavy focus on leveraging current infrastructure (and investment), including switches, routers, and firewalls. Students will learn how to reconfigure these devices to better address the threat landscape they face today. The course will also suggest newer technologies to aid in building a robust security infrastructure.

While this is not a monitoring course, it will dovetail nicely with continuous security monitoring, ensuring that security architecture not only supports prevention, but also provides the critical logs that can be fed into a Security Information and Event Management (SIEM) system in a Security Operations Center.

SECTION 1: Defensible Security Architecture and Engineering SECTION 2: Network Security Architecture and Engineering SECTION 3: Network-Centric Security SECTION 4: Data-Centric Security SECTION 5: Zero-Trust Architecture: Addressing the Adversaries SECTION 6: Hands-On Secure-the-Flag Challenge

SECTION 1: Defensible Security Architecture and Engineering Section 1 of the course describes hardening systems and networks at every layer, from layer one (physical) to layer seven (applications and data). To quote Richard Bejtlich’s The Tao of Network Security Monitoring, defensible networks “encourage, rather than frustrate, digital self-defense.” The section begins with an overview of traditional network and security architectures and their common weaknesses. The defensible security mindset is “build it once, build it right.” All networks must perform their operational functions effectively, and security can be complementary to this goal. It is much more efficient to bake security in at the outset than to retrofit it later. The discussion will then turn to layer one (physical) and layer two (data link) best practices, including many “ripped from the headlines” tips the course authors have successfully deployed in the trenches to harden infrastructure in order to prevent and detect modern attacks. Examples include the use of private VLANs, which effectively kills the malicious client-toclient pivot, and 802.1X and NAC, which mitigate rogue devices. Specific Cisco IOS syntax examples are provided to harden switches. TOPICS: Traditional Security Architecture Deficiencies; Defensible Security Architecture; Threat, Vulnerability, and Data Flow Analysis; Layer 1 Best Practices; Layer 2 Best Practices; Netflow

SECTION 4: Data-Centric Security Organizations cannot protect something they do not know exists. The problem is that critical and sensitive data exist all over. Complicating this even more is that data are often controlled by a full application stack involving multiple services that may be hosted on-premise or in the cloud. Section 4 focuses on identifying core data where they reside and how to protect those data. Protection includes the use of data governance solutions and full application stack security measures such as web application firewalls and database activity monitoring, as well as keeping a sharp focus on securing the systems hosting core services such as on-premise hypervisors, cloud computing platforms, and container services such as Docker. The data-centric security approach focuses on what is core to an organization and prioritizes security controls around it. Why spend copious amounts of time and money securing everything when controls can be optimized and focused on securing what matters? Let’s face it: Some systems are more critical than others. TOPICS: Application (Reverse) Proxies; Full Stack Security Design; Web Application Firewalls; Database Firewalls/Database Activity Monitoring; File Classification; Data Loss Prevention (DLP); Data Governance; Mobile Device Management (MDM) and Mobile Application Management (MAM); Private Cloud Security; Public Cloud Security; Container Security

SECTION 3: Network-Centric Security Organizations own or have access to many network-based security technologies ranging from next-generation firewalls to web proxies and malware sandboxes. Yet the effectiveness of these technologies is directly affected by their implementation. Too much reliance on built-in capabilities like application control, antivirus, intrusion prevention, data loss prevention, or other automatic evil-finding deep packet inspection engines leads to a highly preventative-focused implementation, with huge gaps in both prevention and detection. Section 3 focuses on using application layer security solutions that an organization already owns with a modern mindset. By thinking outside the box, even old controls like a spam appliance can be used to catch modern attacks such as phishing via cousin domains and other spoofing techniques. And again, by engineering defenses for modern attacks, both prevention and detection capabilities gain significantly. TOPICS: NGFW; NIDS/NIPS; Network Security Monitoring; Sandboxing; Encryption; Secure Remote Access; Distributed Denial-of-Service (DDOS)

SECTION 2: Network Security Architecture and Engineering Section 2 continues hardening the infrastructure and moves on to layer three: routing. Actionable examples are provided for hardening routers, with specific Cisco IOS commands to perform each step. The section then continues with a deep dive on IPv6, which currently accounts for 23% of Internet backbone traffic, according to Google, while simultaneously being used and ignored by most organizations. This section will provide deep background on IPv6, discuss common mistakes (such as applying an IPv4 mindset to IPv6), and provide actionable solutions for securing the protocol. The section wraps up with a discussion of VPN and stateful layer three/four firewalls. TOPICS: Layer 3: Router Best Practices; Layer 3 Attacks and Mitigation; Layer 2 and 3 Benchmarks and Auditing Tools; Securing SNMP; Securing NTP; Bogon Filtering, Blackholes, and Darknets; IPv6; Securing IPv6; VPN; Layer 3/4 Stateful Firewalls; Proxy

SECTION 6: Hands-On Secure-the-Flag Challenge The course culminates in a team-based Design-and-Secure-the-Flag competition. Powered by NetWars, day six provides a full day of hands-on work applying the principles taught throughout the week. Your team will progress through multiple levels and missions designed to ensure mastery of the modern cyber defense techniques promoted throughout this course. Teams will assess, design, and secure a variety of computer systems and devices, leveraging all seven layers of the OSI model. TOPICS: Capstone – Design/Detect/Defend

SECTION 5: Zero-Trust Architecture: Addressing the Adversaries Already in Our Networks Today, a common security mantra is “trust but verify.” But this is a broken concept. Computers are capable of calculating trust on the fly, so rather than thinking in terms of “trust but verify” organizations should be implementing “verify then trust.” By doing so, access can be constrained to appropriate levels at the same time that access can become more fluid. This section focuses on implementing a zero-trust architecture where trust is no longer implied but must be proven. By doing so, a model of variable trust can be used to change access levels dynamically. This, in turn, allows for implementing fewer or more security controls as necessary given a user’s and a device’s trust maintained over time. The focus is on implementing zero trust with existing security technologies to maximize their value and impact for an organization’s security posture. During this section encryption and authentication will be used to create a hardened network, whether external or internal. Also, advanced defensive techniques will be implemented to stop modern attack tools in their tracks while leaving services fully functional for authorized assets. TOPICS: Zero-Trust Architecture; Credential Rotation; Compromised Internal Assets; Securing the Network; Tripwire and Red Herring Defenses; Patching; Deputizing Endpoints as Hardened Security Sensors; Scaling Endpoint Log Collection/Storage/Analysis

A new paradigm needed

Zero Trust addresses the outdated assumptions, the “elephants in the room” which have been ignored.

#	Traditional	Zero Trust
1.	On-premises data centers with little outside connections	Public cloud data centers with many external connections (credit card processing, etc.)
2.	"Castle and moat": Perimeter-based (firewall)	Network is always hostile!
3.	... so assume no one is easedropping on traffic	... so assume compromise - encrypt at rest and in transit, using mTLS & DNS
4.	... so no need to log activities	... so log all traffic for forensic analysis of context in a SIEM analytics system to detect issues. Map lateral movement (using Bloodhound or PingCastle)
5.	... so traffic between components can be trusted implicitly	... so explicityly and continuously authenticate and authorize all network traffic to prevent man-in-the-middle attacks (principle of "complete mediation")
6.	... so allow access by default (on by default)	... so off by default -- deny access by default.
7.	... so no need to limit access duration	... so and limit time authorization tokens are valid (assume credentials can be stolen)
8.	... so static IP addresses based on location	... so use identity-based security with Multiple Factors
9.	... so static long-running secrets	... so generate dynamic secrets in databases and applications which are alive too short a time.
10.	... so all-to-all connectivity is not impeded	... so use brokered one-to-one connectivity (ZTNA) with "micro segmentation"
11.	... so secrets can be shared for ease of use	... so assign the least-privilege to each user based on ACLs (Access Control Lists), to limit "blast radius" of breaches
12.	... so accounts can linger before shut-down	... so centrally maintain user and component directories for dynamic decision-making to comprehensively yet quickly disable all secrets like tokens, passwords, and certificates
13.	... so service info is broadcast for ease of reference	... so hide version info (such as specify ServerTokens directive to ProductOnly)

HashiCorp Vault provides the mechanisms to implement “Zero Trust” security principles mandated in US federal government:

Zero Trust Explained in 4 mins

Resources

https://zerotrust.cyber.gov is the home page for the initiative

• Read OMB’s Federal Zero Trust Strategy. The goal of this strategy is to accelerate agencies toward a shared baseline of early zero trust maturity.

• Read CISA’s Zero Trust Maturity Model. The maturity model complements OMB’s Federal Zero Trust Strategy, and is designed to provide agencies with a roadmap and resources to achieve an optimal zero trust environment.

• Read CISA’s Cloud Security Technical Reference Architecture, a guide for agencies to leverage when migrating to the cloud securely. The document explains considerations for shared services, cloud migration, and cloud security posture management.

History

• Zero Trust Security

  • Human Identity - SSO
  • Machine Identity - Vault app identity, secret management, Data Protection
  • Machine to Machine - Consul Service Directory & Service Mesh
  • Human to Machine -
    
    

• CXOTalk: What is Zero Trust Security? (with Palo Alto Networks)

  • For users
  • For applications
  • For infrastructure
    
    

• What is Zero Trust Network Access (ZTNA)? The Zero Trust Model, Framework and Technologies Explained by The CISO Perspective

• How to approach a Zero Trust security model by Jamey Heary, Cisco Distinguished Security Architect

• 🔥Zero Trust Security Model Explained Simply | What is Zero Trust Security? by SkillsBuild Training

• Understanding and Getting Started with ZERO TRUST by John Savill of Microsoft Azure fame.

https://www.youtube.com/watch?v=vskbjR1hyd8

---

More on DevOps

This is one of a series on DevOps:

1. DevOps_2.0
2. ci-cd (Continuous Integration and Continuous Delivery)
3. User Stories for DevOps

4. Enterprise Software)

5. Git and GitHub vs File Archival
6. Git Commands and Statuses
7. Git Commit, Tag, Push
8. Git Utilities
9. Data Security GitHub
10. GitHub API

11. TFS vs. GitHub

12. Choices for DevOps Technologies
13. Pulumi Infrastructure as Code (IaC)
14. Java DevOps Workflow

15. Okta for SSO & MFA

16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
17. AWS server deployment options

18. AWS Load Balancers

19. Cloud services comparisons (across vendors)
20. Cloud regions (across vendors)

21. AWS Virtual Private Cloud

22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
23. Azure Certifications

24. Azure Cloud

25. Azure Cloud Powershell
26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

28. Azure Networking
29. Azure Storage
30. Azure Compute

31. Azure Monitoring

32. Digital Ocean

33. Cloud Foundry

34. Packer automation to build Vagrant images
35. Terraform multi-cloud provisioning automation

36. Hashicorp Vault and Consul to generate and hold secrets

37. Powershell Ecosystem
38. Powershell on MacOS

39. Powershell Desired System Configuration

40. Jenkins Server Setup
41. Jenkins Plug-ins
42. Jenkins Freestyle jobs

43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

44. Docker (Glossary, Ecosystem, Certification)
45. Make Makefile for Docker
46. Docker Setup and run Bash shell script
47. Bash coding
48. Docker Setup
49. Dockerize apps

50. Docker Registry

51. Maven on MacOSX

52. Ansible
53. Kubernetes Operators

54. OPA (Open Policy Agent) in Rego language

55. MySQL Setup

56. Threat Modeling

57. SonarQube & SonarSource static code scan

58. API Management Microsoft

59. API Management Amazon

60. Scenarios for load
61. Chaos Engineering

More on Security

This is one of a series on Security:

1. Security actions for teamwork and SLSA

2. DevSecOps

3. Code Signing on macOS

4. Transport Layer Security

5. Git Signing
6. GitHub Data Security

7. Encrypt all the things

8. Azure Security-focus Cloud Onramp

9. Azure Networking

10. AWS Onboarding
11. AWS Security (certification exam)
12. AWS IAM (Identity and Access Management)

13. AWS Networking

14. SIEM (Security Information and Event Management)
15. Intrusion Detection Systems (Goolge/Palo Alto)

16. Chaos Engineering

17. SOC2
18. FedRAMP

19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

20. AKeyless cloud vault
21. Hashicorp Vault
22. Hashicorp Terraform

23. OPA (Open Policy Agent)

24. SonarQube
25. WebGoat known insecure PHP app and vulnerability scanners

26. Test for OWASP using ZAP on the Broken Web App

27. Security certifications

28. Details about Cyber Security

29. Quantum Supremecy can break encryption in minutes
30. Pen Testing

31. Kali Linux

32. Threat Modeling
33. WebGoat (deliberately insecure Java app)

---