I’ve deprioritized Substack and therefore don’t see Erich Winkler’s posts any more, but I do receive his Decoded Security emails.
And a recent one announced a quiz.
“Most people drift through cybersecurity without a clear direction.
“They watch random YouTube videos. They start certifications they never finish. They burn months going nowhere.
“Sound familiar?
“It is called the Cybersecurity Path Finder.
“A 60-second diagnostic that gives you a personalized reading list from the Decoded Security archive based on your background, your goals, and where you are right now.”
There are all sorts of apocalyptic literature: apes taking over the world is but one example. But the scariest thing I’ve read lately was published by Factonic.
“Imagine waking up one morning and realizing that every password you’ve ever created has suddenly stopped working. Your bank account, social media profiles, and even your email are either completely locked or frighteningly exposed. There’s no reset option, no backup plan—just instant confusion and panic.”
Factonic believes that massive hacks, quantum computing power, and other catastrophic events could eliminate password protections.
“In the first 24 hours after passwords stop working, the digital world would slip into chaos.
“Banking systems could either freeze to prevent unauthorized access or come under heavy attack as bad actors try to exploit the sudden vulnerability, leaving people unable to access their money or complete transactions.
“Social media accounts would be rapidly hijacked, spreading misinformation, scams, or malicious content as users lose control of their profiles.
“Meanwhile, businesses would likely shut down access to their platforms entirely in an attempt to contain the damage, halting operations and cutting off services to millions of users.”
…those same hacks and power could also affect all the other factors. Imagine quantum computing power that could generate matching fingerprints, faces, behaviors, and identity documents in seconds. As I said in 2021:
“But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.
“So I guess “biometrics are dead” too, using the “passwords are dead” rationale.
“And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.
In a previous post I looked at the Biden Administration Executive Order 14028 – Improving the Nation’s Cybersecurity, including its championing of Zero Trust Architecture (ZTA) and least-privilege access.
During the Biden Administration, the Office of Management and Budget issued a related memorandum, M-22-09 (PDF), that dictated a particular approach. Again, ZTA was emphasized.
And the OMB proposed an action plan:
This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
Naturally I’m interested in the identity part.
Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
Agencies must use strong MFA throughout their enterprise.
MFA must be enforced at the application layer, instead of the network layer.
For agency staff, contractors, and partners, phishing-resistant MFA is required.
For public users, phishing-resistant MFA must be an option.
Password policies must not require use of special characters or regular rotation.
When authorizing users to access resources, agencies must consider at least one devicelevel signal alongside identity information about the authenticated user.
Did the Federal Government accomplish the OMB M-22-09 identity objectives?
Sort of.
While some agencies mostly moved to centralized systems, some legacy systems didn’t transition.
Authentication moved away from weak MFA (such as sending an SMS to a device as the second factor).
Device signals aren’t fully implemented. Using one example, dynamically blocking access in real-time if a virus is detected is NOT fully operational. But this is challenging when you consider all the computers, smartphones, and other devices (including Internet of Things devices) that are managed.
But the government said (in a 2024 Impact Report) that the government performed well.
In effect, OMB M-22-09 is now a legacy document since the 2024 deadline has passed. But it’s still referenced, somewhat, in government cybersecurity efforts.
Are you meeting your prospects’ zero trust needs?
If Bredemarket can help you with strategic and tactical analysis, content, and proposals that address the zero trust architecture, set up a free meeting with me to discuss your goals.
Phishing-resistant government systems are no longer a “nice-to-have,” but are now a federal mandate. Government agency information technology (IT) leaders are compelled to meet Zero Trust Architecture (ZTA) mandates.
As you can see from the sections quoted below, the Federal Government agency emphasis focuses on:
Zero Trust Architecture, which supersedes the prior notion that the “internal” portions of a network can be trusted. Threats can come from anywhere.
Securing cloud implementations, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
Least-privilege access, in which each user (this was when users were assumed to be human) only has the privileges they require.
Section 3, Modernizing Federal Government Cybersecurity
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
(b) Within 60 days of the date of this order, the head of each agency shall…
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them…
(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture….
(i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
Section 10, Definitions
(k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
The Bredemarket sales pitch
Can Bredemarket help you describe your zero trust architecture solution? If so, set up a free meeting with me to discuss your needs.
If you were involved in computing in the 1990s, you knew all about firewalls and their ability to block outside threats. The firewall protected a safe enclosed area.
The first line of defense against external threats to computer systems and networks is a firewall. Whether a computer is in a corporation, government agency, university, small business, or home, if it is connected by a network to other computers, its resources, plans, and data are at risk–and so is the reputation of its owners. A firewall can help reduce that risk to an acceptable level.
Firewall technology is a set of mechanisms that collectively enforce a security policy on communication traffic entering or leaving a guarded network domain. The security policy is the overall plan for protecting the domain. Embodied in hardware, software, or both, a firewall guards and isolates the domain…
And yes, we really believed this.
Now we don’t. Because our remote servers have expanded into something we now call the “cloud,” our computing devices now include souped-up telephones, and everything is provided “as a service.” There is no longer an inside and outside, and threats can come from anywhere.
On Monday I will share a post on Zero Trust Architecture, which repudiates the firewall model.
When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
I can’t say WHY I’m looking at bash script vulnerabilities, but they’ve been around since…well, this Kaspersky article is based upon CVE-2014-6271.
“The “bash bug,” also known as the Shellshock vulnerability, poses a serious threat to all users. The threat exploits the Bash system software common in Linux and Mac OS X systems in order to allow attackers to take potentially take control of electronic devices. An attacker can simply execute system level commands, with the same privileges as the affected services….
“But just imagine that you could not only pass this normal system information to the CGI script, but could also tell the script to execute system level commands. This would mean that – without having any credentials to the webserver – as soon as you access the CGI script it would read your environment variables; and if these environment variables contain the exploit string, the script would also execute the command that you have specified.”
An authorization nightmare as a hostile non-person entity runs amok.
And it’s still a threat, as two recent CVEs attest…and that’s all I’ll say.
I was working with these sectors back when I was at MorphoTrak.
“There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7.”
Cybersecurity professionals need to align their efforts with those of the U.S. National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE). Download the NCCoE project portfolio, and plan to attend the February 19 webinar. Details below.
“The NIST National Cybersecurity Center of Excellence (NCCoE) is excited to announce the release of our inaugural Project Portfolio, providing an overview of the NCCoE’s research priorities and active projects.”
“The NCCoE serves as a U.S. cybersecurity innovation hub for the technologies, standards, and architectures for today’s cybersecurity landscape.
“Through our collaborative testbeds and hands-on work with industry, we build and demonstrate practical architectures to address real-world implementation challenges, strengthen emerging standards, and support more secure, interoperable commercial products.
“Our trusted, evidence-based guidelines show how organizations can reduce cybersecurity risks and confidently deploy innovative technologies aligned with secure standards.”
Formal and informal collaborations with other entities.
The NCCoE’s four pillars: Data Protection, Trusted Enterprise, Artificial Intelligence, and Resilient Embedded Systems.
The “forming,” “active,” and “concluding” projects within the pillars, with links to each project.
For example, one of the listed AI projects is the Cyber AI Profile:
“Recent advancements in Artificial Intelligence (AI) technology bring great opportunities to organizations, but also new risks and impacts that need to be managed in the domain of cybersecurity. NIST is evaluating how to use existing frameworks, such as the Cybersecurity Framework (CSF), to assist organizations as they face new or expanded risks.”
This group has published its roadmap, including workshops, working sessions, and document drafts.
And if you are a cybersecurity or identity company needing to communicate how your product protects your users, Bredemarket can help you bring your message to your prospects.
Book a free meeting with me and let’s discuss how we can work together.
Here are details on how Bredemarket works: its services, its process, and its pricing.
Bredemarket 