'Zero Trust': The Way Forward in Cybersecurity

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

Suberman99,
User Rank: Apprentice
1/25/2017 | 1:48:20 PM

Re: Nothing new except the name

Cool sounding maybe but, not many companies adhere to anything but perimeter security, including fortune 1000.

How many IT staffs/managers adhere to LAN segmentation or data center east/west, north/south security. I'm not just talking about allowing a few ports like 443, 80,8080,25,53 etc. Bad stuff rides on these ports as well because threat actors know they are most likely to be open. Zero trust is about knowing the precise application regardless of port or protocol as well as connecting a username to that session.

Reply | Post Message | Messages List | Start a Board

50%

ClarenceR927,
User Rank: Strategist
1/25/2017 | 10:37:14 AM

Re: Nothing new except the name

Our management has fallen in love with "Cyber kill chain" as if it has value. Same deal, put a cool sounding name on the same stuff security has been recommending for a decade and all of a sudden theypay attention.

Reply | Post Message | Messages List | Start a Board

100%

Joe Stanganelli,
User Rank: Ninja
1/14/2017 | 2:44:11 PM

Nothing new except the name

This strategy is what top cybersecurity experts have recommended for years. Few listened.

The only difference now is that, as of sometime in the last year+, somebody came up with a catchy name ("Zero Trust") for it.

I guess buzzterms have their place.

Reply | Post Message | Messages List | Start a Board

100%

Shantaram,
User Rank: Ninja
1/13/2017 | 6:21:53 AM

Re: 192.168.0.1

Cool! i like it!

Reply | Post Message | Messages List | Start a Board

50%

netwatcher,
User Rank: Apprentice
1/12/2017 | 3:25:21 PM

Re: Isn't this what we were supposed to be doing all along?

some reasons why...

Executive is not aware of the risks – "We have a firewall and anti-virus so I think we are covered..."headinsand
Executive has bad information – "Hackers only attack the big companies, what would they want from us?"
Executive is a risk taker – "I'll take the risk, the probability for us getting attacked is low."
Executive is cheap – "No ROI means no priority."
Executive doesn't believe investment in security is worth it – "The loss involved will be so small compared to our revenues. It's easier to take a chance and write off any losses should they occur."
Executive is overwhelmed by the size of the necessary investment required to add additional security measures – "We can't afford Fire Eye, IBM, HP, Palo Alto etc.. those tools are only affordable to the fortune 1000"
Executive believes they are covered when they are not – "Our POS (or EMR) vendor is responsible for our security not us..."
Executive doesn't believe any investment will have much of an impact – "Big companies have all the tools and they are still getting hacked."

Reply | Post Message | Messages List | Start a Board

100%

ClarenceR927,
User Rank: Strategist
1/12/2017 | 9:10:58 AM

Isn't this what we were supposed to be doing all along?

Seriously, how far removed from the real world is IT/CISO management that this concept needs to be explained to them? This exact structure has been undersood and recommeneded for at least 25 years. The more important article would be one that examines the excuses, roadblocks and technical challenges that have prevented people from actually making it happen.

Reply | Post Message | Messages List | Start a Board

50%

DamnDesert,
User Rank: Apprentice
1/10/2017 | 10:47:06 PM

If only it were that simple

If it were just up to cybersecurity to get it done it would be so simple. I've spent 5 years trying to get the company I'm at to get such controls in place to government requirements SP-800-53 for a contract we have. I the end it takes executive buy in, available Capex/Opex budget, priority from other IT departments, and patience for needed downtime for many of the changes that need to take place. No small task, needed yes, getting people to understand it's a high priority is a whole other challenge.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

Microsoft Edge Will Tell You If Credentials Are Compromised

Dark Reading Staff 3/30/2020

HackerOne Drops Mobile Voting App Vendor Voatz

Dark Reading Staff 3/30/2020

Limited-Time Free Offers to Secure the Enterprise Amid COVID-19

Curtis Franklin Jr., Senior Editor at Dark Reading, 3/31/2020

Webinars

How to Effectively Analyze Security Data

Malicious Insiders: Real Defense for Real Business

5 Steps to Integrate SAST into the DevSecOps Pipeline

Webinar Archives

White Papers

NERC Updates May Force Utility Companies into Better Cybersecurity

eSentire Annual Threat Intelligence Report: 2019 Perspectives and 2020 Predictions

One Phish, Two Phish, Three Phish, Fraud Phish

A Market Guide to Simulation-Based Cybersecurity Training

SANS 2020 Cyber Threat Intelligence Survey Results

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: Hello...Nurse...I've placed a mask on him but he refuses to wear gloves...now what?

Cartoon Archive

Current Issue

6 Emerging Cyber Threats That Enterprises Face in 2020

This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

State of Cybersecurity Incident Response

Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.

Download Now!

How Enterprises Are Developing and Maintaining Secure Applications

0 comments

How Enterprises are Attacking the Cybersecurity Problem

0 comments

How Data Breaches affect the Enterprise

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-11558
PUBLISHED: 2020-04-05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...

CVE-2020-11547
PUBLISHED: 2020-04-05

PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.

CVE-2020-11548
PUBLISHED: 2020-04-05

The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.

CVE-2020-11542
PUBLISHED: 2020-04-04

3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.

CVE-2020-11533
PUBLISHED: 2020-04-04

Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]