Search
Generic filters

Zero Trust and STIGs – The Powerful Pair Hackers Don’t Want You to Know About

September 10, 2024

Zero Trust and STIGs – The Powerful Pair Hackers Don’t Want You to Know About

You have to admit it. Hackers have a great work ethic. They will stop at nothing to penetrate government systems, especially in the DoD. They’re willing to work overtime to do it. And they just keep getting better and better at it as a result.

Recognizing this pervasive threat, the president issued an executive order (EO 14028) in 2021. It states that, in addition to maintaining a secure baseline through STIG compliance, Federal government agencies must also maintain a Zero Trust posture and architecture.

The deadline for this initiative in the government is September 30, 2024. For corporate entities, the deadline is, preferably, before the next hack happens.

Getting to know Zero Trust.

The DoD defines Zero Trust as “an evolving set of cybersecurity paradigms that move defenses from status, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).”

Taking that one step further, antivirus software applications should be used to blacklist anything suspicious until a verified user intervenes. These best practices are coming more into play as government organizations reach an unprecedented number of threats to their data.

In Splunk’s Essential Guide to Zero Trust, they sum up the approach by saying, “A Zero Trust model can radically improve your organization’s security posture by eliminating the sole reliance on perimeter-based protection.”

Understanding the difference between perimeter and Zero Trust models.

Traditional perimeter models build walls between trusted and untrusted sources. For example, the firewall between your local network and the internet.

Zero Trust models, in contrast, basically posit that bad guys are everywhere, so you should trust no network, no user, and no location when it comes to accessing your data. A Zero Trust network is built upon five fundamental assertions:

  • The network is always assumed to be hostile
  • External and internal threats exist on the network at all times
  • Network locality is not sufficient for deciding trust in a network
  • Every device, user, and network flow is authenticated and authorized
  • Policies must be dynamic and calculated from as many sources of data as possible

The Zero Trust approach builds in multiple layers of secure access to limit the breadth of any breaches that may occur. Then, with continuous auditing as required by STIGs (Security Technical Implementation Guides), you can spot bad actors before they have a chance to do harm. This pairing is especially effective—and necessary—for securing the high-value, sensitive systems needed to protect our troops.

As Defense Information Systems Agency (DISA) observes, “The intent and focus of Zero Trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity.”

Your Zero Trust architecture is only as good as the baseline it sits upon.

A key aspect of Zero Trust involves auditing to ensure that users with allowed log-in access are doing what they are supposed to be doing when they are supposed to be doing it. This is where STIGs come in.

Before joining the network, STIGs require devices to have certain cyber hygiene principles in place—such as antivirus software. The STIGs also help capture unauthorized access attempts and access, making 24/7 monitoring a must.

This level of auditing helps to deter inside threats, provides knowledge as to who is attempting to gain access, and identifies patterns to enable the tracking down of a malicious source.

STIGs + Zero Trust give agencies the best cybersecurity protection.

In addition to simplifying auditing, STIGs can block hackers at many avenues of approach. For example, the STIGs for firewalls shut down nearly any port that the client does not use regularly. And Operating System STIGs restrict server access to defined users. They go even further to block access in general by privileged groups, like the domain admins. STIGs also remove guest accounts and asks that users not share logins.

All these steps verify who is supposed to have access to the technology and work to keep it that way. When you combine STIG mandates for perimeter security with a Zero Trust model, you shut down access to everything, making it nearly impossible for bad actors to achieve their goals.

Making your STIG and Zero Trust journeys easier. 

If this all sounds complicated and time consuming, that’s because it is.

Automating your STIG compliance can simplify the process of hardening at the perimeter, provide 24/7/365 auditing protection and help you double down on cybersecurity when using the Zero Trust approach. It also makes it possible to achieve and maintain virtually impenetrable protection for your data, systems and people—without needing to hire more staff to do it.

Schedule a free demo of ConfigOS and talk to our experts about how the pairing of STIGs and Zero Trust can give you the protection you want—without the headaches you don’t need.

Share This Resource: