6579b74e zero day

Zero Day Zero Trust Is Your Defense in Depth

Zero Trust. The principle of limiting access to user resource pairs. It is part of a good defense in depth strategy. Defense in depth means having multiple layers, each augmenting and overlapping each other. It means you have a fallback position if something is breached. And, for a Zero Day, that breach happens suddenly and without warning. Zero Day Zero Trust are good complements.

Recently vmware announced a 9.8 CVE in something that is the core of many networks today, vSphere. In a nutshell, walk all over your world if you have any network access. Now, many of you will say, but I have a firewall and a VPN, I am safe. Good for you. You have done a small piece of Defense In Depth, and, I hope enough. But, you have certainly not done all you could. You see, that VPN+Firewall creates a ‘outside bad inside good’ mentality. You have something inside with infinite risk. And, you have no controls on how things that, once they are inside, can wander around.

Perhaps a phishing attack will influence a user to click on something that causes their browser to wander over to your vSphere system? Perhaps a lower security system will get a wee bit of malware on it? But, they can escalate upwards.

The description for this vmware problem says “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Hmm, your browser inside the network. It has access to port 443. You can be tricked into running JavaScript that will do so.

Or maybe you have put port 443 in your vsphere into some sort of DMZ and its not really firewalled? After all, its encrypted, TLS, it must be secure, right?

In a zero trust model, the user to that lower security system would be authorised, but, not able to get to the vSphere system. It would augment that firewall + vpn model, and, prevent that lateral attack that you are now worried about. You will still need to get the patch applied (patch early patch often), but, the defense in depth inherent would lower the risk, lower the urgency.