Eliminate Attack Vectors and Stop Cyber Threats in Their Tracks with a Zero Trust Architecture
Reducing Cyber Risk and Protecting Against Attacks
Cyber threats come from all angles these days, yet most businesses are still ill equipped to properly keep the bad actors out when they become the target of an attack. The Open Web Application Security Project (OWASP) produces a list of the top 10 threats that organisations must contend with to keep their web applications secure, but that is only the tip of the iceberg. While there are best practices that can help mitigate cyber risks, some of the most dangerous attack vectors are getting harder to defend against. They include everything from lateral network traversal and ransomware, all the way to employee vulnerabilities and denial of service attacks.
A modern and proactive approach to access and security is a necessary shift organisations need to take in order to maintain a sufficient security posture, mitigate threats, and stop attackers in their tracks. Zero Trust Architecture offers just that.
Zero Trust is the preferred way to introduce user resource segmentation while adopting a perimeter-less, “Never Trust, Always Verify” approach to security. That means every resource is isolated and access is only granted when a user has verified their identity and has the correct authorisation for access, effectively keeping bad actors out.
What are the OWASP Top 10 Web Application Vulnerabilities
Every couple of years OWASP does a revamp of their Top 10 web application security threats. This list has become a standard document and is a great resource for organisations to size up their web application cyber posture and determine their level of vulnerability exposure. In 2021, OWASP updated their list of the top web application threats that businesses face as follows:
- Broken Access Control – Access controls enforce user privileges, preventing them from acting outside of their permissions. Failures can lead to unauthorised access, modification, release, and destruction of data or functions outside the user’s intended privileges.
- Cryptographic Failures – Many web applications and their APIs do not impose strong encryption practices to properly protect sensitive corporate and customer data. This gives attackers an opportunity to intercept or modify data for criminal purposes. Strong encryption must be imposed when data is at rest or in transit.
- Injection – Attackers will leverage flaws such as SQL, NoSQL, OS, and LDAP injection to try and trick the interpreter into allowing them to access data without proper authorization or execute unintended commands.
- Insecure Design – In the design and development lifecycle of software and applications, inadequate budget for time and security requirements can allow critical vulnerabilities to pass through into live environments, introducing attack vectors the team never anticipated or addressed.
- Security Misconfiguration – Ad hoc and insufficient configuration of software and infrastructure can lead to issues like misconfigured dHTTP headers, exposed cloud storage, admin or root access accounts being left in place, and even verbose error messages that leave sensitive information exposed.
- Vulnerable and Outdated Components – Vulnerable components, such as libraries, frameworks, and other software modules often lead to severe instances of data loss or server takeover. The inability to address CVE’s (Common Vulnerabilities and Exposures) undermines application security by enabling various attack vectors.
- Identification and Authentication Failures – When incorrectly implemented, functions related to authentication and session management allow attackers to compromise session tokens, passwords, keys, and user credentials. Multi-Factor authentication is one of the easiest ways to prevent an attacker from assuming a user’s identity.
- Software and Data Integrity Failures – Software and data integrity failures happen when applications rely on libraries and plugins from untrusted sources and insecure deployment pipelines allow these to be introduced without integrity check and create the potential for unauthorised access or system compromise.
- Security Logging and Monitoring Failures – No or poor logging and monitoring pair with inadequate tools for incident response can let a breach become pervasive allowing attackers to persist, traverse to more systems, and tamper with or extract data. The average time to detect a breach is over 200 days. Fine-grained auditing and logging capabilities can substantially improve that.
- Server-Side Request Forgery – Server-Side Request Forgery (SSRF) flaws allow attackers to trick applications into fetching a remote resource from an unexpected destination without validating it. Unfortunately this attack can be perpetrated even when protected by a conventional firewall, VPN, or another type of network access control list (ACL).
Broken access controls moved to the number one spot on the OWASP Top 10 and represent one of the most common vulnerabilities today. In fact, it is theorised by some security researchers that over half of all web applications have at least one OWASP vulnerability. This is where Zero Trust can give organisations an edge against the arsenal of tools malicious actors have at their disposal.
How Zero Trust Principles can Protect Against Web Application Vulnerabilities
Zero Trust as a principle offers enhanced protection against web application vulnerabilities by shifting the domains of access and control to a per user, per resource implementation. That means access and visibility for a given asset migrate from a traditional perimetered, digital moat, where all resources are accessible by default to a micro segmented infrastructure. This principle helps organisations protect resources and users from each other, making them independent. In the event one application, resource, or web server is compromised, the vulnerability is contained.
How Does Agilicus AnyX Protect Against the OWASP Top 10 with a Zero Trust Architecture
Agilicus AnyX is a culmination of cybersecurity standards that together deliver defence in depth, helping organisations adopt a Zero Trust Architecture that delivers a robust network security framework and access strategy. A well implemented Zero Trust Architecture can effectively protect organisations, their users, and most valuable assets from the OWASP Top 10 Web Application Vulnerabilities.
Agilicus AnyX is designed to eliminate an attacker’s visibility into the potential OWASP Top 10 web application vulnerabilities that could exist in a given application as resources are completely hidden from non-authenticated users. This is achieved with the patented Identity Aware Web Application Firewall which acts as a proxy server (reverse proxy) and protects web applications and resources by only allowing access on the basis of authenticated (verified) identity.
Organisations can also leverage this component of the Agilicus AnyX platform to enhance security on the client side by modifying server headers or enforcing SSL (Secure Socket Layer) on all traffic. As a result, the Identity Aware Web Application Firewall ensures all traffic is encrypted and users are able to access designated resources from anywhere without making them accessible on the public internet.
The Agilicus AnyX platform features that specifically protect against the OWASP Top 10 web application vulnerabilities and deliver a Zero Trust Architecture platform include:
• Role-Based Access Controls – Centralise the management of users and their roles to enact, strict least privilege access through fine-grained authorisation. Prevent (1) Broken Access Controls, (2) Cryptographic Failures, and (7) Identification and Authentication Failures.
• Detailed Audit Trails – All users, connections and actions audited. No more (9) Security Logging and Monitoring Failures that leave you unsure of who did what for how long .
• Identity Aware Web Application Firewall – Blocks malicious and unauthenticated traffic, while protecting against (3) Injection (5) Security Misconfiguration (6) Vulnerable and Outdated Components (8) Software and Data Integrity Failures, (4) Insecure Design, (10) Server-side Request Forgery.
• Multi-Factor Authentication – Second factor authentication requirements are built right into the login flow helping to address (7) Identification and Authentication Failures.
We recently held a webinar on this topic with Agilicus CEO and cybersecurity expert, Don Bowman. Watch the recording for a detailed look at how your organisation can adopt a defense in depth strategy through Zero trust to protect against the OWASP Top 10.
How Does Zero Trust Stand Up Against Other Attack Vectors
Defending against OWASP threats is a good start, but there is still a laundry list of attack vectors that organisations face today. Zero Trust is much more than simply enforcing multi-factor authentication on your users. It is a set of security principles that together work by leveraging an individual’s unique identity to introduce an authentication and authorisation workflow for access to a designated resource.
By adopting a Zero Trust Architecture, organisations can take a proactive approach to security by default and effectivelyprotect critical resources from threats.
What is Lateral Network Traversal
Lateral Network Traversal or lateral movement within a network occurs when a malicious actor gains access to a network (usually through a VPN) and moves deeper into the system in search of sensitive information, trade secrets, high-value assets, or to perpetrate a ransomware attack.
How Zero Trust Prevents Lateral Network Traversal
A key principle of zero trust is segmentation of users, resources, and the network(s). In the event of a breach, Agilicus AnyX leverages a Zero Trust Architecture to limit the attack surface by totally isolating organisation resources and users from each other by enforcing user to resource pairings. Without interfering with, or encumbering the end user, organisation resources are seamlessly segmented with explicit control over permissions, privileges, and a precise record of user activity with detailed audit trails: sensitive information and data can only be accessed by designated users and ransomware attacks can be blocked from spreading. With a proper implementation of Zero Trust, there is no available network to move east-west within, unlike a traditional perimeter-based solution (VPN).
What is the Cyber Risk of Shared or Compromised Credentials
A compromised credential attack occurs when a malicious actor has guessed a password, intercepted it, retrieved it from a database, or mounts a successful brute-force or credential stuffing attack allowing them to gain access to your systems and resources. Many users tend to recycle passwords and share account credentials, increasing the likelihood of those details ending up in a database somewhere on the dark web.
How to Protect Against Compromised Credentials
Under a Zero Trust framework, any attempt to connect to a resource is treated as a potential breach until the end user proves otherwise. To ensure a seamless workflow that offers protection against compromised credentials, Agilicus AnyX leverages a single form of authentication by federating identity across unlike domains. Users and organisations only need to maintain a single set of credentials instead of an account per resource with multi-factor authentication requirements for access. This login flow and layer of identity verification offers enhanced protection against compromised credentials. Every user or user group has its assigned privileges and permissions that determine what resources they have access to, and what they can do with that access (read, write, admin).
What is an Insider Threat, Rogue Employees, and Employee Vulnerability
Similar to the issue of compromised credentials, employees can present security risks and attack vectors to your organisation. Generally they fall victim to social engineering, or are themselves compromised, but sometimes employees can go rogue and act maliciously against their employer. This attack vector is closely tied to compromised credentials and an over exposure to organisation resources.
Protect Against Rogue Employees with Precise Authorisation
With centralised authorisation management, multi-factor authentication, and detailed auditing, Agilicus AnyX empowers organisations with fine grained control and visibility of who is accessing their resources, what they are doing with that access, and when. By design, Agilicus AnyX enacts strict, least privilege access and introduces granular user, resource segmentation. In the event that an employee goes rogue, Agilicus AnyX delivers complete visibility and allows you to stop guessing to determine exactly what changes were made to the assets and when. On top of that, fine-grained authorisation controls guardrails users and limits the blast radius in the event of employee vulnerability. Administrators and operators can easily restrict privileges or remove access all through an easy to use web-based portal.
What is a Man in the Middle Attack
A Man in the Middle Attack (MitM) is when a malicious actor positions themselves between a user and an application, oftentimes to spy on or intercept communications. A successful MitM could even let a threat actor pretend to be the end user or the application with the goal of stealing credentials, personal information, and even financial data such as credit card numbers.
How to Protect Against Man in the Middle Attacks
A hacker trying to wedge themselves into the traffic will have a hard time both intercepting and following traffic with a Zero Trust Architecture deployment with Agilicus AnyX. Agilicus AnyX ensures all data in transit is always end-to-end encrypted with TLS (Transport Layer Security). With the Identity Aware Web Application Firewall, two outbound only connections (one from the user, one from the resource) meet in the middle, preventing a malicious actor from being able to follow traffic, or emulate the parties involved to trick their way into the network. With Agilicus AnyX, resources are essentially taken off the public internet while all activity is auditable. As a result, traffic cannot easily be followed, stopping attackers in their tracks.
What is a Distributed Denial of Service (DDoS) Attack
A distributed denial-of-service (DDoS) attack is executed when a single target is attacked by multiple machines, or a botnet to flood a network with more traffic than it can handle. A successful DDoS attack will prevent legitimate users from being able to gain access by exhausting system resources, ultimately crashing the target server or the network equipment serving it. This type of attack could be used as a diversion, can lead to a loss in revenue, or even result in tangible safety risks.
How Zero Trust Mitigates DDoS Attacks
Under a Zero Trust model, any outside network or traffic is treated as an adversary. A Zero Trust Architecture through Agilicus AnyX can help mitigate Distributed Denial of Service (DDoS) attacks by moving resources behind a secure cloud. Agilicus AnyX keeps vital network resources off the public internet (no ip) without limiting accessibility to authorised users. The platform uses an agent connector to create an outbound-only connection for a given resource and likewise for the authenticated user, allowing them to meet in the middle.
How Does Zero Trust Through Agilicus Work
The Agilicus AnyX platform is designed to balance enhanced security with a frictionless end user experience. Employees benefit from simple, secure access and an invisible IT security experience. Likewise administrators and operators are able to unify authentication and leverage precise authorisation with granular control of privileges and permissions all through a single pane of glass.
With Agilicus AnyX organisations can enact strict, least privilege access for their employees with the ability to centrally manage users and resources. Administrators have the ability to give users access to the applications they need with the ability to monitor and manage all activity through detailed audit logs. Behind the scenes all users and resources are segmented from each other and hidden from the public internet preventing an intruder’s ability to move east-west within a network. Without the ability to hop across resources, organisations benefit from a matured cyber posture and can very effectively limit the blast radius of any breach.
Deploying the Agilicus AnyX to Adopt Zero Trust
Agilicus AnyX is designed to ensure adopting advanced security is both easy and economical. Organisations can incrementally deploy the platform and scale adoption of Zero Trust at their own pace without requiring a VPN, appliance, or client. This incremental deployment approach means organisations can take realistic steps to mature their cyber posture within their means and overcome budget, time, and capability constraints, instead of it being an all or nothing project.
User onboarding through Agilicus AnyX is made simple with federated identity and single sign-on. Federated identity leverages existing individual user identities (Azure, 0365, Gmail, etc.) to assign access privileges. Any user, even from a non-company domain can be given access without having to issue yet another account or username and password. Agilicus doesn’t store credentials and instead employs the token generated via single sign-on to authenticate a user’s identity and align their access privileges. Multi-factor authentication requirements are easily enforced for verification of a user’s identity, requiring not just what a user knows (Account Credentials), but what they have (eg, device, one time password) to perform authentication.
Through a single, web-based portal, administrators are empowered with precise authorisation controls and the ability to pair users and resources. Centralised authorisation management and role-based access controls ensure granular control over user permissions and privileges. Combined with detailed auditing, Agilicus AnyX delivers control and visibility of users and resources, their privileges, and what they are doing with that access.
Boost security organisation-wide and protect your most valuable assets from cyber attacks by taking your most important resources off the public internet.
Reduce administrative overhead and help your IT or technical teams focus on high impact projects, with less time spent on administrative tasks.
Provide a safer way to collaborate across teams, departments, and external organisations with secure access to shared resources.
Reduce cyber risk without restricting efficiency or adding friction to your employee workflows.
End users are digitally enabled through simple, secure access with a frictionless experience with no changes to login workflows.
Organisations benefit from precise control of user and resource permissions with detailed audit trails to perform enhanced security analysis.
There seems to be an endless list of cyber threats that organisations have to face. Starting with the OWASP Top 10 and a slew of others, finding the right protection can be hard. Agilicus AnyX delivers a Zero Trust Architecture that shields your traffic from the public internet with precise control of permissions and privileges. Adopting a Zero Trust Architecture approach could offer your business the best line of defence against cyber threats.
A secure replacement to legacy perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. Your authorised users can get secure, frictionless access to applications, desktops, shares, and other corporate resources and services.