How to evaluate security vendors for a Zero Trust strategy to combat phishing-led attacks

Before I get to the point, I need to frame your thinking. I promise it will make perfect sense.

How to select a vehicle

• Fuel (e.g. Jeep) or
• Electric (e.g. Tesla)

Fuel or electric? That’s the first question we answer before it’s possible to select a vehicle, followed by a specific model.

The most obvious difference between electric vehicles (EV), and standard internal combustion engine models (ICEs), is that ICEs are powered by fuel, while electric vehicles are powered by electricity. Hybrid systems are in fact fuel-run vehicles to which a small electric engine and battery have been added.

There’s no need to explain how each one works, or why they’re different. It only matters that you nod your head in agreement when I point out that industry has different classifications to categorize different types of vehicles. This makes it easier for companies to comply with regulations and best practices, while making it easier for consumers to make better informed choices.

Some argue that we wouldn’t be where we are today if it wasn’t for Tesla forcing the incumbents to build electric vehicles.

Now that you’re in the right frame of mind, I’ll talk about anti-phishing security. The lack of technical detail is intentional as it’s not important to know everything that happens inside the black box.

My goal is to make it very easy for anyone to tell the difference between the approach taken by “traditional security” that you’ve been used to (fuel-powered vehicles), and Zero Trust (electric vehicles) — without having to know how anything works. The fundamental differences between the two methodologies are so stark, you must select one or the other.

How you know it’s really Zero Trust

• Traditional Security (Cisco)
• Zero Trust (MetaCert)

Traditional security or Zero Trust? That’s the first question we must answer before it’s possible to select a security vendor.

The most obvious difference between them:

• Traditional security is designed to trust every URL on the Internet. Only URLs that are classified as dangerous, are blocked.
• Zero Trust is designed to do the complete opposite — block every URL on the Internet, except for URLs that are verified.

“Trust no URL, always verify”

There’s no need to explain the similarities or differences between each approach to security. It only matters that you nod your head in agreement when I point out that each classification is different — it’s binary, and not open for interpretation.

Zero = 0

While the market for electric cars, bikes, and scooters is well established, industry has yet to launch electric buses.

Similarly, the market for Zero Trust implementations for user, app, device, and network data authentication is very well established, but “URL & Web Access Authentication” is VERY new.

Imagine if Chrysler promoted the Jeep Sahara as an electric vehicle. That’s the type of approach we’re seeing in cybersecurity. Some security vendors are starting to promote their traditional security solutions as a Zero Trust strategy.

The flow diagram below is intended to make it easy for anyone to evaluate a vendor or solution. You can increase the size of the image here.

About Zero Trust

The concept of “Zero Trust” for cybersecurity is very well established and it wasn’t my idea. I’ve taken the following two paragraphs straight from Palo Alto Networks:

“Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.”

“Zero Trust was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. The Zero Trust model recognizes that trust is a vulnerability. Once on the network, users — including threat actors and malicious insiders — are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location.”

Given that 90% of the world’s cyberattacks involve phishing, it’s ironic that a Zero Trust strategy wasn’t available for “URL & Web Access Authentication” until MetaCert pioneered it in December 2017, with a proof-of-concept application — more information below.

Zero Trust SMS

• SMS is by far the easiest implementation for a Zero Trust strategy that I can think of.
• To see what a Zero Trust strategy looks like with a real product demo, take a look at the implementation for SMS-led phishing attacks.
• Organizations that don’t implement a Zero Trust strategy for anti-phishing protection will likely end up as a statistic as documented in this article.

If you enjoyed this article you might also be interested in why phishing is NOT new or sophisticated.

I hope you found this article useful.

Please feel free to get in touch by way of a LinkedIn connection request, or email me directly paul@metacert.com if you’d like to learn more or provide feedback. Learn more about the journey that took me here.

About me in the context of this article

There’s absolutely no need to read below this text. What’s above is all you need. Below is a list of things that might lend credibility to what I say, because most of what I say is disputed by most security professionals that I speak to — hence the problem with phishing attacks. I guess they’ve never experienced autonomous driving in a Tesla.

I’m not a “cybersecurity veteran”. I know nothing about reverse-engineering malware, for example. That’s way above my pay grade of intelligence. I live at the intersection of social engineering, messaging, URLs, Internet and mobile technology, technology trends, and the mindset of victims and their attackers. I have dyslexia and ADHD, along with a very long track record of notable achievements, which I think, help me join dots that security veterans don’t notice.

• Phishing was first discovered on the AOL network in 1996, where I was one of the first people impersonated for the purpose of phishing AOL members inside email, chat rooms, and instant messenger (IM). More here.
• Helped to launch AOL Instant Messenger (AIM) as the Global Test Manager, and International Beta Coordinator for AOL UK in 1997. This is relevant because it was first time I went deep into messaging services.
• Co-founded the global standard for URL Classification at the W3C in 2004, the standards body for the World Wide Web, formally replacing PICS as a Full Recommendation in 2009.
• One of the seven original founders of the W3C Mobile Web Initiative in 2004.
• Built the first anti-phishing security service and parental control software for smartphones in 2010.
• Built the first anti-phishing security service for mobile apps in 2013. Patents issued.
• Built the first anti-phishing security service for HipChat in 2015.
• Built the first anti-phishing security service (integration and chatbot) for Slack in 2015.
• Invited to build the first security chatbot for Skype in 2016 (URL lookup for fake news).
• Built the first security chatbot for Messenger in 2016 (URL lookup for fake news).
• Built the first anti-phishing security service for Telegram in 2016.
• Eradicated the phishing epidemic on Slack for the entire cryptocurrency world in 2017. We had the only security service for Slack at the time, so they didn’t have much choice but to turn to us. Everything up to now, was powered by our traditional anti-phishing security service and our own threat intelligence system.
• No matter how fast we were at blocking new dangerous URLs, there were always victims. Cybercriminals stopped targeting communities on Slack because we made it cost-prohibitive, not because they couldn’t scam a few victims.
• Built the first dataset of verified URLs for what later became known as “Zero Trust URL & Web Access Authentication”, in 2017. This was right after we eradicated phishing on Slack — mostly because we came to realize it’s impossible to prevent most phishing-led attacks with the traditional security model — at least not without some victims having to report them first.
• Built the first browser-based security service that’s powered by Zero Trust URL & Web Access Authentication, in December 2017 — for complete desktop protection. This is the only product/tech that’s currently promoted on metacert.com.
• Built the first anti-phishing security service for cryptocurrency wallets in 2018 — Powered by a Zero Trust strategy for URIs (i.e. digital wallet addresses).
• Currently building the first security service for SMS. The small box that needs to be installed inside a mobile network represents about 10% of the overall solution — because the authentication system/infrastructure described above does most of the work. Hope to announce a trial with the first marquee mobile operator in Q4 2021.
• We would have built a security service for SMS in 2020 if we believed mobile operators cared enough to pay for it. We predicted that operators would perceive SMS scams that lead to fraud and identity theft as a“subscriber problem” — they did, and still do. As soon as FluBot malware hit Europe we knew operators would be encouraged to do something about it.
• [Security vendor] will be the second company to offer customers a desktop security service that’s powered by a Zero Trust strategy for anti-phishing. Since MetaCert is the only company verifying URLs at scale today, this new service will be powered by our authentication system and anti-phishing threat feed, as well as a few other threat intelligence feeds from other vendors. To accelerate time-to-market, they’re also OEMing MetaCert’s browser extension under their own brand. Hope to make an announcement by October 2021.
• What’s next? We hope to make it easy for security vendors to build a Zero Trust strategy for email, DNS, and other systems and applications that provide access to the Internet. We’re a big data and authentication company — the applications we build are usually to demonstrate to potential partners, how they can make use of the data and new approach to anti-phishing security.