The Missing Pillar in Zero Trust: Why URI & Web Access Authentication is the Unsung Hero in Thwarting Phishing Attacks
Cybersecurity heavyweights like Microsoft, Google, and Cisco have touted the virtues of the Zero Trust model for a while now. But as I was reading this recent article on Dark Reading, I felt inspired to write this article to explain how, in my view, we’ve all been collectively overlooking a crucial element — URI & Web Access Authentication. Allow me to shed some light on this glaring omission and why it’s not just a gap, but a gaping hole in our defenses.
In today’s cybersecurity landscape, big names like Microsoft, Google, and Cisco have been advocating for Zero Trust — what’s generally considered the gold standard. You’ve probably heard of the 4 or 5 pillars, depending on your viewpoint: Identity, App Authentication, Device Authentication, Network Authentication, and Data Authentication.
But hold on, we’ve missed something big here. Where’s the pillar for URI & Web Access Authentication? It’s like building a house but forgetting the front door. And the front door is where 90% of all cyberattacks start. Stop impersonators from walking through the front door, and we stop most attacks before they even start. This is where MetaCert has been innovating since 2017, shifting from a Cyber Threat Intelligence focus to pioneer Zero Trust specifically for anti-phishing. Trust me, it’s a game-changer, a veritable kill switch for phishing threats. FIDO compliant keys like Yubikey is a gold standard security implementation of a zero trust model. Sadly however, FIDO is only supported by a small fraction of the web. Coincidentally, FIDO is a W3C standard just like the W3C standard I co-founded for URL Classification and Content Labeling — circa 2004 — formally replacing the old standard, PICS.
Assuming URLs are safe until shown otherwise is outdated and has been ineffective for over a decade. Despite the cybersecurity industry’s growth, phishing incidents have surged each year since 2016. Instead of promoting the idea that “we’re all in it together,” which shifts the burden to employees and consumers, it’s time to refine our security approach. Every URL and web request should be viewed as dangerous until verified as legitimate (i.e. ‘authenticated’. By adopting this strategy, you negate a wide array of sophisticated phishing threats, rendering those ‘click update’ URLs ineffective.
After reading the article, it’s clear that ProofPoint hasn’t cracked the code on countering phishing threats effectively. They still rely on a database of previously identified dangerous URLs and some form of AI/ML for detection. While the latter may weed out blatant phishing attempts, it falls short when the URLs involved use random characters or are embedded in seemingly safe domains like play.google.com. This approach is fundamentally limited in tackling the complexity and nuance of modern phishing.
