How to evaluate security vendors for a Zero Trust strategy to combat phishing-led attacks

Before I get to the point, I need to frame your thinking. I promise it will make perfect sense.

How to select a vehicle

• Fuel (e.g. Jeep) or
• Electric (e.g. Tesla)

Fuel or electric? That's the first question we answer before it's possible to select a vehicle, followed by a specific model.

The most obvious difference between electric vehicles (EV), and standard internal combustion engine models (ICEs), is that ICEs are powered by fuel, while electric vehicles are powered by electricity. Hybrid systems are in fact fuel-run vehicles to which a small electric engine and battery have been added.

There's no need to explain how each one works, or why they're different. It only matters that you nod your head in agreement when I point out that industry has different classifications to categorize different types of vehicles. This makes it easier for companies to comply with regulations and best practices, while making it easier for consumers to make better informed choices.

Now that you're in the right frame of mind...

My goal is to make it very easy for anyone to tell the difference between "traditional cybersecurity" (fuel), and Zero Trust (electric). The fundamental differences between the two concepts are so stark, you can only select one.

Zero Trust for URL & Web Access Authentication

• Traditional Security (Proofpoint)
• Zero Trust (MetaCert)

"Trust no URL, always verify"

You can increase the size of the image here.

Traditional cybersecurity or Zero Trust? That's the first question you must answer before you can even think about vendors and their solutions.

• Traditional security is designed to trust every URL on the Internet. Only URLs that are classified as suspicious or dangerous, are blocked.
• Zero Trust is designed to do the complete opposite - trust no URL on the Internet, except for URLs that are verified.

Let's frame your thinking one more time...

A password manager is a device or application that stores all your passwords, as well as the URL for each website, app and service that you verify, in a vault.?When using a browser-based password manager, it will NEVER auto-complete the username and password fields if it doesn’t recognize the URL as the one tied to the password. This is Zero Trust authentication.

If some vendors decide to check the legitimacy of every URL with AI instead of comparing them with URLs already verified in advance, it would feel like a game of Russian Roulette every time you sign into a site, app or service. You would never know if you fell for a phishing-led attack until it's too late. This is how the entire concept of traditional security works - i.e. not Zero Trust authentication.

Zero Trust URL & Web Access Authentication

Similar to how password managers work, Zero Trust for URL & Web Access Authentication requires the verification of URLs up front. When using a browser-based security extension that's powered by Zero Trust, it will NEVER allow you to access a malicious ad, link, URL, download, webpage or service, if it doesn't recognize the URL. This is Zero Trust authentication.

If some vendors decide to check the legitimacy of uncategorized URLs with AI instead of comparing them with URLs already verified in advance, it would feel like a game of Russian Roulette every time you sign into a site, app or service. You would never know if you fell for a phishing-led attack until it's too late. This is the approach that has been taken for anti-phishing security since it was first discovered on the AOL network in 1996.

Why isn't every person and entity protected by Zero Trust URL & Web Access Authentication, if it's so great?

• While the market for electric cars, bikes, and scooters is well established, industry has yet to launch electric buses.
• While the market for Zero Trust implementations for identity, app, device, and network data authentication is very well established, the concept of "URL & Web Access Authentication" is VERY new.
• There's nothing new, special or different about the technology behind a Zero Trust implementation - it's just a different model. Instead of relying on a "threat" dataset, security relies on a "verified" dataset.

More about Zero Trust as a concept for cybersecurity

The concept of "Zero Trust" for cybersecurity is very well established. I've taken the following two paragraphs straight from Palo Alto Networks:

"Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control."

"Zero Trust was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. The Zero Trust model recognizes that trust is a vulnerability. Once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location."

Zero Trust SMS

Why not provide you with another example of how Zero Trust has the potential to completely eradicate phishing threats that involve deceptive hyperlinked text and URLs.

SMS is the best implementation to demonstrate the power of a Zero Trust strategy that I can think of.

• To see what a Zero Trust strategy looks like with a real product demo, take a look at the implementation for SMS-led phishing attacks.
• Organizations that don't implement a Zero Trust strategy for anti-phishing protection will likely end up as a statistic as documented in this article.

If you enjoyed this article you might also be interested in why phishing is NOT new or sophisticated.

I hope you found this article useful.

Please feel free to get in touch by way of a LinkedIn connection request, or email me directly?[email protected] if you'd like to learn more or provide feedback.?Learn more about the journey that took me?here.

About me in the context of this article

There's absolutely no need to read below this text. What's above is all that's needed. Below is a list of things that might lend credibility to what I say, because most of what I say is disputed by most security professionals that I speak to - hence the problem with phishing attacks. They've never experienced autonomous driving in a Tesla - the experience enjoyed by MetaCert members over the past few years. Now that it's a proven model with zero victims, it's time for us to make it accessible to the world.

I'm not a "cybersecurity veteran". I know nothing about reverse-engineering malware, for example. That's way above my pay grade of intelligence. I never attended university, so formal qualifications weren't in my purview. I live at the intersection of social engineering, messaging, URLs, consumer technology trends, and the mindset of victims and their attackers.

• I have dyslexia, which is great for many things, including critical thinking, problem solving, and seeing things differently. It helps me to see patterns and join dots in a way that more qualified or experienced people might not see or comprehend.
• I have ADHD and tend to be creative and "hyperfocused" on things I find interesting and important. ADHD comes with other superpowers, and of course weaknesses. One of those weaknesses is "how" I communicate - I can sometimes be perceived as "sales-like" or "side-tracking". This is down to ADHD amplifying my passion and desire to explain what's inside my head.
• Phishing was first discovered on the AOL network in 1996, where I was one of the first people impersonated for the purpose of phishing AOL members inside email, chat rooms, and instant messenger (IM). More here.
• Helped to launch AOL Instant Messenger (AIM) as the Global Test Manager, and International Beta Coordinator for AOL UK in 1997. This is relevant because it's when I first went deep into messaging.
• Co-founded the global standard for URL Classification at the W3C in 2004, the standards body for the World Wide Web - formally replacing PICS as a Full Recommendation in 2009.
• One of the seven original founders of the W3C Mobile Web Initiative in 2004.
• First person to re-write Tim Berners-Lee's vision of "One Web" at the W3C, for the purpose of defining what "the web" is, in the context of small mobile devices.
• Built the first URL-based security service for smartphones in 2010 (API).
• Built the first URL-based security service for mobile apps in 2013 (API service with a family of foundational patents that were issued before most people even knew what a WebView was).
• Built the first URL-based security service for HipChat in 2015 (integration).
• Built the first URL-based security service for Slack in 2015 (integration and chatbot).
• Built the first URL-based security service for for Skype in 2016 (chatbot).
• Built the first URL-based security service for Messenger in 2016 (chatbot).
• Built the first anti-phishing security service for Telegram in 2016 (chatbot).

?? Switched from traditional security to Zero Trust in December 2017

• Built the first dataset of verified URLs in 2017. This was right after we eradicated phishing on Slack for the cryptocurrency world because we wanted to see a world in which there were zero victims.
• Built the first browser-based security service powered by Zero Trust URL & Web Access Authentication, in December 2017 - for complete desktop protection. This is the only product/tech that's currently promoted on metacert.com.
• Built the first anti-phishing security service for cryptocurrency wallets in 2018 (Zero Trust).
• Currently building the first security service for SMS (Zero Trust). Info and demo.
• We would have built the security service for SMS in 2020 if we believed mobile operators cared enough to pay for it. As soon as FluBot malware hit Europe we knew operators would be forced to do something.

Pivotal moment for the future of Internet Security and MetaCert - Q4 2017

One victim was one too many for us. It got personal because we got to speak directly, in real time, with victims across Slack communities. Every dangerous URL has the potential to end relationships, prevent kids from going college, and compromise corporate networks and customer data.

Persistent targeted phishing attacks (spear phishing) are virtually impossible to stop with traditional anti-phishing security. Cybercriminals only need one person to trust one deceptive URL in a targeted attack. Blocking dangerous URLs that have been discarded by criminals as if they're single-use water bottles, adds little value to the world.

At the end of 2017 I asked my team the following question:

"What if we told everyone to ignore the browser padlock, because 93% of all new phishing domains have an SSL Certificate. Instead of focusing on 'known danger', we should make it easy for every person to avoid EVERY new phishing URL, download, website and service. When the shield turns green, everyone will intuitively know it's not a counterfeit/imposter.

It's easier to verify PayPal.com than it is to detect tens of thousands of new counterfeit domains and login pages.

If the shield remains grey, they will know it's probably a new phishing threat that we, and other security vendors don't know about yet. Could this be the answer?"

Was it the answer?

• ?? At the time this article was published, no person or entity has ever fallen for a deceptive link, URL, download, website or service since December 2017. You can read how I measured product-market fit for 80,000 active power users here on the PKI Consortium website, by invitation.

Phishing doesn't just involve deceptive URLs, it can also involve attachments or plain text that's designed to trick people into doing something they would rather not do. I'll leave it up to someone else to figure out how to enable a Zero Trust strategy for attachments - it can't be done with text, sadly.