Episode 24 - Zero Trust - Global Bob Show

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Unknown (00:00):
All right. All right, here we go. It is that time of

(00:05):
the week again, for the globalBob Show. Globalbob show we are
the crossroad of technology andpolitics. Man, listen to that
rock and roll music. As always,it gets me fired up and ready to
put on a show. This is episodenumber 24. Zero trust. I like to

(00:30):
thank everybody that tunes inevery week, of course, I like to
thank those that spread the wordabout to show. As always, you
can reach out to me on Facebookthrough our Globalbob Show
Facebook group, or on twitter atGlobalbob Show or son Gmail

(00:51):
Globalbob show@gmail.com. It'sso good to be here in the
Richard Cook broadcast facility.
I really enjoy putting thesetogether sometimes I don't
record there as you guys andgals heard that. I was out in
Vegas a couple of weeks ago. Sowe recorded a show out there.
And it was nice having a niceview of the pool and everything.

(01:13):
But really, I like to be in herewhere it all began. And Richard
Cook broadcast facility.
So like to think a buddy of minethat reached out to me over the
weekend, he said that he wasdoing some work outside. And he
was catching up on the globalBob Show. And he came across an

(01:36):
episode that sounded like, like,like the conversation that him
and I had. So he hit me up onsignal and said wait a second.
That was me wasn't it said Sureenough. So that's where I get a
lot of my inspiration for theseshows is people that call or
text and they asked me aquestion. So as always, I think

(01:59):
well, if they had the question,then maybe some other people
have the question. So why notput out a show on it. So I
really appreciate him, listen tothe show and reaching out. So
with that, we got the old cybercaddy fired up made its way here
to the studio. So let's diveright on into this. But before

(02:23):
we dive in, let me just stophere for a second. Now I used
application that I wascommunicating with my buddy. Now
he is a technologist himself.
And so him and I our preferredmethod of communications, if
it's via text, we use signal. Sofor some of my audience,

(02:44):
listeners that are not familiarwith signal signal is an
application that you candownload on your phone, they
also have one you can downloadon your computer, I don't
recommend the computer versionof signal. I prefer the ones on
the device, which we can getinto that more later. But

(03:08):
basically, it is end to endencrypted. Now end to end
encryption means that whenever Isend him a message, it's
encrypted on my device. And thatmessage stays encrypted as it
goes through the cellularnetwork and various IP networks.

(03:28):
And it comes down to hisparticular device, whether he's
using his iPad or iPhone orAndroid, tablet or phone, and
then it's decrypted. Now, one ofthe reasons why I like to use
signal is from you know, you cango out there and do a lot of

(03:50):
research. But it's pretty,pretty secure. A lot of folks
use like aI messenger and Googlehas their equivalent of
something like that. Now they dodo encryption on it. But you
know, if you don't trust thephone manufacturers, or the
people that are providing thatservice, then signal is really
good. You can also do encryptedphone calls with signal so it

(04:16):
would take an encrypt your voicetraffic, and you can have a
regular phone conversation oversignal. So I'm not saying that
if you're into some kind ofnefarious business that, you
know, if you use signal thenthere's no way anybody can
eavesdrop on that information.

(04:38):
But for all intents andpurposes, it is a pretty good
platform to use. And that's whatwe use here at the Global Bob
Show. One other thing I'll sayabout signal is is that if
you're worried about say, yoursignificant other or if you're
worried about somebody havinganother device on your network.

(05:01):
I mean, we've talked about thisin the past, where one of the
ways that people read otherpeople's messages is, is that
they'll find their old iPad, orthey'll find, you know, a device
and put them on there for like Imessenger. So every time you
send an iMessage, it pops up onthat device. Now, that's a way

(05:23):
that, you know, I mean, we'veseen how people stalk people
using that type. So with signal,you can't really do that.
Because if someone was toattempt to do that, then all
parties that are involved withthat signal conversation will
get an alert saying that theother person's device number has
changed. And please verify. Soanyways, I know he kind of went

(05:47):
off on a tangent on signal, butit's a really good application.
And if you really are paranoid,and you can do things like turn
on the disappearing messages. Soif I send you a message, or you
send me a message, after it'sread, it disappears after a
certain amount of time. Soreally good platform, just want
to put that out there. If youall are looking for an

(06:10):
alternative, it's really simple.
And that you know, is encryptedand secured, then I would
recommend signal. So while we'retalking about signal, this is a
great segue into what we wereactually going to talk about
today. And that is zero trust.
Now, as I mentioned, most of myinspiration for the shows come

(06:30):
from people calling methroughout the week and asking
me questions. Well, on thisparticular one, I've been
working on a project for quitesome time, using a application
called Zero tear. So there's alittle plug there for a zero
tier while I was out at DEF CON,I met up with the zero tier

(06:52):
folks. And I use the zero tiertechnology as a way to establish
zero trust. So what is zerotrust? Now, back in the day,
when we had all these computernetworks, and everything was
interconnected, you would cometo someone's office or their

(07:13):
home. And you would ask, Hey,what's the Wi Fi password so I
can get on here. And this isreally a problem for
corporations. So people wouldcome in, they would get on the
Wi Fi network. So they can, youknow, check their email and, and
surf the web or their vendor,maybe they need to download some

(07:33):
drivers to fix your copymachine. So once they were on
that network, then they were onthere as if they were someone
that worked in that corporation,right, it was all kind of a flat
network. We've talked about flatnetworks and IP Subnetting and
stuff and other episodes. Butwhat started to happen is, is

(07:55):
that there were some breachesthat made the news, I mean, one
of the major ones was target,and target the grocery store
chain had fallen victim to ahighly sophisticated cyber
operation. And it was discoveredthat they adversary had gained

(08:16):
access to Target's main networkthrough the HVAC. So people that
aren't familiar with the termHVAC, that's basically the air
conditioning system, and heatingsystems at the Target store. And
what had happened was is thatthose devices needed to be
monitored. And so they just putthem on the network. Well, when

(08:41):
someone came in, an adversarycame in and was able to
compromise the HVAC systemnetwork and then jump over. And
that's really when this zerotrust to me, I started hearing a
lot about it. Now, like I said,back in the day in your house is
probably like this, and probablya lot of small businesses are

(09:03):
like this, you have firewall onyour perimeter, right. And that
firewall is blocking things thatare coming in from the internet.
We've talked about in previouspodcast episode, the whole idea
of how an adversary lands on anetwork, right, they have to
land and then expand. And that'swhy we get a lot of spam emails

(09:27):
because once you click on a linkor you go to a site, your
computer is going out into thewild west of the internet. And
then there's bidirectionalcommunication. So that whole
land and expand is what zerotrust tries to mitigate. So like

(09:48):
I said, someone comes to yourhouse, they're on your network,
and they can get to whereverit's kind of like back in the
day where they had the cartoon,and it said how many licks does
it take to get to the tips? Thereal tenor center of a Tootsie
Pop, well, then the person takesa big bite says a world whenever
No. So all these layers ofdefense have traditionally been

(10:09):
from the outside coming in. Butonce you're in, you're in that
soft, gooey center, and you canmove laterally across the
networks. And so with that typeof security model, that's kind
of like the castle in the moat.
Right. So once you're inside thecastle, and you know, they check
you out at the door, you comein, and you can, you can move

(10:29):
around. But now, as we mentionedin other podcast episodes is
crypto, where ransomware cryptoviruses, that's what's
happening, they're getting onthese networks, and they're
expanding. And so what the zerotrust model is not don't think
of it as a piece of software.

(10:55):
And don't think of it as justsomething that you install, it's
more well, it actually is amethodology for the way of
setting up networks. Now, youcan dig down into the zero trust
model, and get as deep as youwant. But the best way to think
about zero trust and setting upnetworks and a zero trust model

(11:19):
is kind of like theclassification of documents and
people that access thosedocuments. So you get someone
that needs access to classifiedinformation, what do they do
they check them out, they may doa background check, they want to
make sure they actually have aneed to know. And so then once

(11:40):
they get access to that, thenthey get what they call at least
privileged access, which isaccess to just the documents
they need. So the government,they've gotten it, right,
they've been doing this forquite some time. But it's with
like physical folks accessingphysical systems. So with the
zero trust model, when you startsetting it up, you look at the

(12:02):
devices that are coming in andout of your network. And a good
example of this is, is these IoTdevices, I call them the
internet of toys, even thoughit's called the Internet of
Things. But a lot of thesedevices that are being put on
the network, they really don'tneed to have access to every

(12:27):
other part of your network. Soif you take your typical
security system that's atsomeone's office, well, if a
guest comes in and asks, Hey,what's the Wi Fi password,
they get on the Wi Fi network,they can get to those security
cameras, those security camerascan get to say, the file server.

(12:48):
But when you implement the zerotrust model, you take those
security cameras and you throughsoftware, or through firewalls
and various applications, youlimit their access to say, those
security cameras or justrecording footage, that footage

(13:09):
is going to the security cameraDVR server, that's, you know, it
could be at your place ofbusiness, or it could be up in
the cloud. But you put controlsaround those security cameras to
say those cameras can onlycommunicate with that DVR
server, there's no reason foranybody to communicate on a

(13:30):
regular basis directly with thesecurity camera. And when you do
that, what you've done islowered the potential for that
security camera to be part ofyour breach. Now, that's
something that's very, verycommon, you know, these security
cameras, these IoT devices, wementioned with target, the H fac

(13:53):
control system, these computersthat are you know, managing the
systems, even the little cheapsecurity cameras, most of them
are running full on operatingsystems that have, you know, a
lot of other things in therethat aren't necessarily needed
for security cameras. So that'swhy they become a real ripe

(14:14):
target. Because one, you know,there's no security antivirus. I
mean, there are some things likeif you get into the real high
end, where you can put someclients on there, but let's just
say for all intents andpurposes, you don't have
antivirus on security cameras,you don't log into a security
camera and have a firewall. Sowhat you're doing is you're

(14:37):
creating a barrier around there.
So one, those security camerasif say the manufacturer, which
is a big deal, we'll probably doa whole nother podcast on source
code supply chain integrity, buta lot of these cameras and IoT
devices, they're coming fromoverseas, and so they could
already be pre installed withmalware or other systems that

(15:00):
allow for backdoor access. So ifthat is the case, and you're
implemented your zero trustmodel, then those cameras will
not be a threat because theycan't go anywhere. Now, I know
that I really, you know, like touse examples that are way out

(15:20):
there with a security camera.
But if you bring it in a littlebit closer, and you think about
the people that are at youroffice, that have access to your
network, right, I know that mostpeople that I talk to on a
regular basis, my small businessowners, they don't have a

(15:43):
anything internally. So that'slimiting the communications from
computer to computer. That's whyI hit the cryptovirus call a
couple times a month, hey, youknow, we don't know where it
came from. But all the computerswe walked in, well, instantly,
you know, there's probably not azero trust model implemented.

(16:04):
But when you think about thecomputers on your network, think
about the the people that areusing those computers, do they
really need to have unfeatheredaccess to your network. A lot of
times, there are situationswhere really the only thing that

(16:25):
one computer needs to talk to onthe network that, you know,
needs to kind of be open is aprinter, because now most people
that I know, they're usingSharePoint and Microsoft Office
and Google Docs, and so all oftheir information is stored up
in the cloud. And there's reallynot a reason for, say, Bobby's

(16:47):
computer to talk to Jimmy'scomputer, because there's no
transactions happening, rightBobby stuffs all up in the
cloud, Jimmy stuffs all up inthe cloud.
So when you get to your office,and if you can, you know, ping
another computer on the network,then chances are you're not set
up in a zero trust model. Andwhy is that a big deal, like we

(17:09):
mentioned with the cryptoviruses, it is a big deal. So
something that you all can do, Ilike to give everyone you know,
little easy things they can doto lower their victim potential
is to turn on what they callclient isolation. Now, this
isn't the full implementation ofa zero trust model. But it's a

(17:30):
way to to get you know, thecomputers isolated, which is
called Client isolation. Andmost of the time, your Wi Fi
routers and your businessrouters, even my home router
does this, you just click clientisolation. And that way, those
folks that are isolated, theycan only get directly out to the

(17:53):
internet. And therefore if theydownload some malware onto their
computer, they're not going tobe able to spread it around your
house. Now, most of you all thathave routers at your house or at
your office, you probably dohave a guest Wi Fi network. And
when you bought the router, itsays hey, do you want to have
guest Wi Fi, you click the OKbutton. And most of the time,

(18:17):
the behind the scenes, what themanufacturers of those routers
are doing are essentiallycreating another network that
has client isolation. So yourguests get on that network. And
they can only get out to theinternet. But what you want to
be careful of you don't want tojust willy nilly turn this thing
on. Because say at your house,if you need to access your

(18:39):
television, or you need toaccess other peripherals on your
network, if you turn on clientisolation, you won't be able to
get to it. So think about if youwant to take some, some
preliminary steps, just create aWi Fi network turn on guest
isolation. And then just becauseit's called a guest network,
doesn't mean it just has to beused for guest. So going back to

(19:03):
the office network, right, soyou have this guest Wi Fi think
of it more as like a untrusteddevice network. And so if you
have somebody at your at youroffice, that all they need to do
is access the internet andGoogle Docs and they don't need
to, you know, access anythingelse to that office, just put
them on the guest network. Nowabout the only thing I will say

(19:25):
you do have to tune a little bitis that if you have like an
office printer, like a networkprinter, and they need to be
able to print to that, then youwould need to put in some rules
to do that. So think of the zerotrust model is basically a way
to put devices on your networkand specify directly of what

(19:50):
resources they should haveaccess to. Now, zero trust is
all the rage and so as always, Ilike to give A little bit about
how did we get here. So it's oneof those buzz words that I can
tell you. Now, if I'm cruisingthe internet, some of these
technical sites, I'll get allkinds of advertisement for zero

(20:11):
trust. And like I said, it's,it's not a piece of software,
it's more of a methodology ofwhich I highly support. But it's
not new. Right? So in 1994, aguy by the name of Stephen
Marsh, he coined the phrase zerotrust at the University of

(20:32):
Stirling. Now, if you thinkabout a 1994, we've talked about
this another podcast of youknow, how the Internet came to
be. And when people startedusing the internet, so this guy,
he was already thinking aboutzero trust back in 1994. Now,
that's before, you know, a lotof offices were networked and,
and everybody had a computer ontheir desk. So going forward, we

(20:55):
find out in 2010, Joseph curveegg of the Forrester group, now,
Forrester, they're a researchand analyst arm. And so if
you're involved withcybersecurity, then you know,
Forrester is a big deal. Butwhat he did was he started
laying down stricterpolicies and stricter framework

(21:17):
for zero trust and 2010. Andthen, of course, in 2018, the
government's cybersecurityresearch folks of the NIST Now,
if you're not familiar withNIST, NIST stands for the
National Institute of Standardsand Technology. And these are
the brainiacs that work for thegovernment. So they started

(21:39):
talking about the zero trust,and how it should be
implemented. And then in 2019,the UK National Cybersecurity
Center, they actually startedrecommending that network
engineers and networkprofessionals start down this
zero trust model. Now, like,like a lot of technology, we

(22:01):
have a lot of visionaries thatstarted this and had the vision
of a zero trust way before itbecame cool. So from 1994, up
until 2019, that was kind of theincubator times for this zero
trust. And then we all know whathappened with COVID. Right?
Everybody went home, you had allthese folks that were

(22:23):
interconnecting. And now, zerotrust became even more important
because you have companyresources at people's houses, on
their home network. And, youknow, the companies don't know,
could the laptop or devicebecome infected on the home
network. And then when they VPNinto the corporate network, they

(22:44):
spread that divide the viruses.
And so for networkadministrators, this was a rough
thing, right? How do you havethese devices that are on these,
you know, you want to call themall in 10 purposes, a dirty
network, and now they're goingto come onto your corporate
network virtually. And you wantto make sure that you limit what

(23:07):
those devices can access? So Iknow in industry, a lot of my
friends, they started goingthrough like, holy moly, how do
we, how do we protect againstthis, you know, it's one thing
if they got their laptop, andevery now and again, you know,
they work from home and stuff,and now you got people full time
working from home. And I don'twant to get into too many
technicalities of this. Butanother major thing that

(23:30):
happened when everybody startedworking from home, they had a
huge increase of traffic cominginto the corporate network,
because a lot of the VPNswere set up in what they call
full tunnel mode. And fulltunnel mode means all the
traffic right, no matter what,if you're going to Google then
that company device was going tomake its way through the VPN and

(23:51):
go out the corporate firewall toGoogle. Well, you can imagine
1000s and 1000s of peopleworking from home, that was
something that just did notscale out, because all of their
internet traffic was comingthrough. So they implemented
something called splittunneling, and split tunneling
and want to really tread lightlyhere and not get too technical

(24:12):
split tunneling meant that theperson's working from home and
if they went to Google or anysite out on the internet, they
would go out through their homeconnection, but then if they
needed to access a companyresource, then they would go
through the VPN connection,right? So that's called split
tunneling. And what made thatbecome a real threat is is that

(24:34):
now someone could go to awebsite on their corporate
device. And let's say thatwebsite had zero day on it so it
wasn't detected by the antivirusinstalled, and so that computer
would get compromised whilethere's also it has a link to
the corporate office and sosomeone could come down to that

(24:56):
device and then tunnel in To thenetwork is called split
tunneling, right. And so thatreally had a lot of my friends
and industry start thinking,Hey, we got to get the zero
trust model down. And so one ofthe programs that I recommend is
one called Zero tear. Now theseguys have been around for a long

(25:16):
time, I actually met out withthem whenever I was out at
BlackHat. And DEFCON actuallymet them over on the DEF CON
side. And these guys have beendoing zero trust for a long
time. And also too, it's asoftware defined Wan, which we
can get into more of that later.

(25:37):
But they really do a good job, Isay they do an excellent job for
people that don't want to go outand hire a whole big staff to do
this zero trust and you know,that just need to have
basically, folks that areworking from home, but then come
to the office sometimes. So youcan download their software and

(25:59):
put it on the computer. And whatthat will do is basically give
you a way to implement zerotrust. Now we're not going to
get into all the details of it.
But if anybody's looking toimplement a zero trust network,
then I would recommend zerotear. So we're approaching the
bottom of the half hour here.

(26:22):
And as always, I like to thankeverybody that has rode along
here as we cruise the highwaysand byways of cyberspace. And
like I said, sometimes theseepisodes may dabble a little bit
on the technical side. But ifyou can just take one little
small nugget away from each oneof these, then I think that I'm

(26:44):
doing my job. So just to sum itall up. Basically, in the old
days, we had the old castle andmoat system. And now we need to
move to a zero trust system. Andvery simply is hey, you can come
on come on in the castle. Butwe're only going to give you

(27:04):
access to the things that youneed to have access to. And
we're going to block everythingelse. Pretty simple. And if you
need to get to that resource,and it's blocked, then your
friendly network administrator,I'm sure will be more than happy
for you to put in a request andthey will unblock that resource.
And also to one of the dividendsthat zero trust serves not just

(27:30):
to you know, I'm not saying thatyou won't ever fall victim to
crypto ransomware if you havezero trust, but one of the
things zero trust does is allowsfor you to show your auditors,
if your industry is one that isunder the you know, the scrutiny
of auditors. You know, a lot oftimes they want to see your
firewall rules and how youprotect your network. And as

(27:54):
soon as you start down the pathof you implement a zero trust
system. Trust me, the auditorsare like, okay, these people
know what they're talking about.
And they can produce whateverartifacts they need during those
audits. So like I said, ifanything implemented at your
house, on your guest network,to let those folks get directly
out to the internet and nottouch your internet of toys or

(28:16):
TVs are anything that your houseand if you're at your small
business, just do the same thingand put people on that guest Wi
Fi network until they actuallyhave a business need to get on
the other side of the networkwhere they can, you know, have
more access to devices andstuff. So as I say Rome was not

(28:38):
built in a day and neither wascybersecurity, as we've
testament to during thesepodcasts. So with that, I will
see everybody next week. And ifyou have any questions, comments
or concerns, you can reach outto me via the various channels
and I will try to get back toyou as soon as possible. See you

(29:01):
soon

All Episodes

Episode 24 - Zero Trust

Episode Transcript

Popular Podcasts

NFL Daily with Gregg Rosenthal

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 24 - Zero Trust