All right. All right, here we go. It is that time of the week again, for the global Bob Show. Globalbob show we are the crossroad of technology and politics. Man, listen to that rock and roll music. As always, it gets me fired up and ready to put on a show. This is episode number 24. Zero trust. I like to thank everybody that tunes in every week, of course, I like to thank those that spread the word about to show. As always, you can reach out to me on Facebook through our Globalbob Show Facebook group, or on twitter at Globalbob Show or son Gmail Globalbob show@gmail.com. It's so good to be here in the Richard Cook broadcast facility. I really enjoy putting these together sometimes I don't record there as you guys and gals heard that. I was out in Vegas a couple of weeks ago. So we recorded a show out there. And it was nice having a nice view of the pool and everything. But really, I like to be in here where it all began. And Richard Cook broadcast facility. So like to think a buddy of mine that reached out to me over the weekend, he said that he was doing some work outside. And he was catching up on the global Bob Show. And he came across an episode that sounded like, like, like the conversation that him and I had. So he hit me up on signal and said wait a second. That was me wasn't it said Sure enough. So that's where I get a lot of my inspiration for these shows is people that call or text and they asked me a question. So as always, I think well, if they had the question, then maybe some other people have the question. So why not put out a show on it. So I really appreciate him, listen to the show and reaching out. So with that, we got the old cyber caddy fired up made its way here to the studio. So let's dive right on into this. But before we dive in, let me just stop here for a second. Now I used application that I was communicating with my buddy. Now he is a technologist himself. And so him and I our preferred method of communications, if it's via text, we use signal. So for some of my audience, listeners that are not familiar with signal signal is an application that you can download on your phone, they also have one you can download on your computer, I don't recommend the computer version of signal. I prefer the ones on the device, which we can get into that more later. But basically, it is end to end encrypted. Now end to end encryption means that whenever I send him a message, it's encrypted on my device. And that message stays encrypted as it goes through the cellular network and various IP networks. And it comes down to his particular device, whether he's using his iPad or iPhone or Android, tablet or phone, and then it's decrypted. Now, one of the reasons why I like to use signal is from you know, you can go out there and do a lot of research. But it's pretty, pretty secure. A lot of folks use like aI messenger and Google has their equivalent of something like that. Now they do do encryption on it. But you know, if you don't trust the phone manufacturers, or the people that are providing that service, then signal is really good. You can also do encrypted phone calls with signal so it would take an encrypt your voice traffic, and you can have a regular phone conversation over signal. So I'm not saying that if you're into some kind of nefarious business that, you know, if you use signal then there's no way anybody can eavesdrop on that information. But for all intents and purposes, it is a pretty good platform to use. And that's what we use here at the Global Bob Show. One other thing I'll say about signal is is that if you're worried about say, your significant other or if you're worried about somebody having another device on your network. I mean, we've talked about this in the past, where one of the ways that people read other people's messages is, is that they'll find their old iPad, or they'll find, you know, a device and put them on there for like I messenger. So every time you send an iMessage, it pops up on that device. Now, that's a way that, you know, I mean, we've seen how people stalk people using that type. So with signal, you can't really do that. Because if someone was to attempt to do that, then all parties that are involved with that signal conversation will get an alert saying that the other person's device number has changed. And please verify. So anyways, I know he kind of went off on a tangent on signal, but it's a really good application. And if you really are paranoid, and you can do things like turn on the disappearing messages. So if I send you a message, or you send me a message, after it's read, it disappears after a certain amount of time. So really good platform, just want to put that out there. If you all are looking for an alternative, it's really simple. And that you know, is encrypted and secured, then I would recommend signal. So while we're talking about signal, this is a great segue into what we were actually going to talk about today. And that is zero trust. Now, as I mentioned, most of my inspiration for the shows come from people calling me throughout the week and asking me questions. Well, on this particular one, I've been working on a project for quite some time, using a application called Zero tear. So there's a little plug there for a zero tier while I was out at DEF CON, I met up with the zero tier folks. And I use the zero tier technology as a way to establish zero trust. So what is zero trust? Now, back in the day, when we had all these computer networks, and everything was interconnected, you would come to someone's office or their home. And you would ask, Hey, what's the Wi Fi password so I can get on here. And this is really a problem for corporations. So people would come in, they would get on the Wi Fi network. So they can, you know, check their email and, and surf the web or their vendor, maybe they need to download some drivers to fix your copy machine. So once they were on that network, then they were on there as if they were someone that worked in that corporation, right, it was all kind of a flat network. We've talked about flat networks and IP Subnetting and stuff and other episodes. But what started to happen is, is that there were some breaches that made the news, I mean, one of the major ones was target, and target the grocery store chain had fallen victim to a highly sophisticated cyber operation. And it was discovered that they adversary had gained access to Target's main network through the HVAC. So people that aren't familiar with the term HVAC, that's basically the air conditioning system, and heating systems at the Target store. And what had happened was is that those devices needed to be monitored. And so they just put them on the network. Well, when someone came in, an adversary came in and was able to compromise the HVAC system network and then jump over. And that's really when this zero trust to me, I started hearing a lot about it. Now, like I said, back in the day in your house is probably like this, and probably a lot of small businesses are like this, you have firewall on your perimeter, right. And that firewall is blocking things that are coming in from the internet. We've talked about in previous podcast episode, the whole idea of how an adversary lands on a network, right, they have to land and then expand. And that's why we get a lot of spam emails because once you click on a link or you go to a site, your computer is going out into the wild west of the internet. And then there's bidirectional communication. So that whole land and expand is what zero trust tries to mitigate. So like I said, someone comes to your house, they're on your network, and they can get to wherever it's kind of like back in the day where they had the cartoon, and it said how many licks does it take to get to the tips? The real tenor center of a Tootsie Pop, well, then the person takes a big bite says a world whenever No. So all these layers of defense have traditionally been from the outside coming in. But once you're in, you're in that soft, gooey center, and you can move laterally across the networks. And so with that type of security model, that's kind of like the castle in the moat. Right. So once you're inside the castle, and you know, they check you out at the door, you come in, and you can, you can move around. But now, as we mentioned in other podcast episodes is crypto, where ransomware crypto viruses, that's what's happening, they're getting on these networks, and they're expanding. And so what the zero trust model is not don't think of it as a piece of software. And don't think of it as just something that you install, it's more well, it actually is a methodology for the way of setting up networks. Now, you can dig down into the zero trust model, and get as deep as you want. But the best way to think about zero trust and setting up networks and a zero trust model is kind of like the classification of documents and people that access those documents. So you get someone that needs access to classified information, what do they do they check them out, they may do a background check, they want to make sure they actually have a need to know. And so then once they get access to that, then they get what they call at least privileged access, which is access to just the documents they need. So the government, they've gotten it, right, they've been doing this for quite some time. But it's with like physical folks accessing physical systems. So with the zero trust model, when you start setting it up, you look at the devices that are coming in and out of your network. And a good example of this is, is these IoT devices, I call them the internet of toys, even though it's called the Internet of Things. But a lot of these devices that are being put on the network, they really don't need to have access to every other part of your network. So if you take your typical security system that's at someone's office, well, if a guest comes in and asks, Hey, what's the Wi Fi password, they get on the Wi Fi network, they can get to those security cameras, those security cameras can get to say, the file server. But when you implement the zero trust model, you take those security cameras and you through software, or through firewalls and various applications, you limit their access to say, those security cameras or just recording footage, that footage is going to the security camera DVR server, that's, you know, it could be at your place of business, or it could be up in the cloud. But you put controls around those security cameras to say those cameras can only communicate with that DVR server, there's no reason for anybody to communicate on a regular basis directly with the security camera. And when you do that, what you've done is lowered the potential for that security camera to be part of your breach. Now, that's something that's very, very common, you know, these security cameras, these IoT devices, we mentioned with target, the H fac control system, these computers that are you know, managing the systems, even the little cheap security cameras, most of them are running full on operating systems that have, you know, a lot of other things in there that aren't necessarily needed for security cameras. So that's why they become a real ripe target. Because one, you know, there's no security antivirus. I mean, there are some things like if you get into the real high end, where you can put some clients on there, but let's just say for all intents and purposes, you don't have antivirus on security cameras, you don't log into a security camera and have a firewall. So what you're doing is you're creating a barrier around there. So one, those security cameras if say the manufacturer, which is a big deal, we'll probably do a whole nother podcast on source code supply chain integrity, but a lot of these cameras and IoT devices, they're coming from overseas, and so they could already be pre installed with malware or other systems that allow for backdoor access. So if that is the case, and you're implemented your zero trust model, then those cameras will not be a threat because they can't go anywhere. Now, I know that I really, you know, like to use examples that are way out there with a security camera. But if you bring it in a little bit closer, and you think about the people that are at your office, that have access to your network, right, I know that most people that I talk to on a regular basis, my small business owners, they don't have a anything internally. So that's limiting the communications from computer to computer. That's why I hit the cryptovirus call a couple times a month, hey, you know, we don't know where it came from. But all the computers we walked in, well, instantly, you know, there's probably not a zero trust model implemented. But when you think about the computers on your network, think about the the people that are using those computers, do they really need to have unfeathered access to your network. A lot of times, there are situations where really the only thing that one computer needs to talk to on the network that, you know, needs to kind of be open is a printer, because now most people that I know, they're using SharePoint and Microsoft Office and Google Docs, and so all of their information is stored up in the cloud. And there's really not a reason for, say, Bobby's computer to talk to Jimmy's computer, because there's no transactions happening, right Bobby stuffs all up in the cloud, Jimmy stuffs all up in the cloud. So when you get to your office, and if you can, you know, ping another computer on the network, then chances are you're not set up in a zero trust model. And why is that a big deal, like we mentioned with the crypto viruses, it is a big deal. So something that you all can do, I like to give everyone you know, little easy things they can do to lower their victim potential is to turn on what they call client isolation. Now, this isn't the full implementation of a zero trust model. But it's a way to to get you know, the computers isolated, which is called Client isolation. And most of the time, your Wi Fi routers and your business routers, even my home router does this, you just click client isolation. And that way, those folks that are isolated, they can only get directly out to the internet. And therefore if they download some malware onto their computer, they're not going to be able to spread it around your house. Now, most of you all that have routers at your house or at your office, you probably do have a guest Wi Fi network. And when you bought the router, it says hey, do you want to have guest Wi Fi, you click the OK button. And most of the time, the behind the scenes, what the manufacturers of those routers are doing are essentially creating another network that has client isolation. So your guests get on that network. And they can only get out to the internet. But what you want to be careful of you don't want to just willy nilly turn this thing on. Because say at your house, if you need to access your television, or you need to access other peripherals on your network, if you turn on client isolation, you won't be able to get to it. So think about if you want to take some, some preliminary steps, just create a Wi Fi network turn on guest isolation. And then just because it's called a guest network, doesn't mean it just has to be used for guest. So going back to the office network, right, so you have this guest Wi Fi think of it more as like a untrusted device network. And so if you have somebody at your at your office, that all they need to do is access the internet and Google Docs and they don't need to, you know, access anything else to that office, just put them on the guest network. Now about the only thing I will say you do have to tune a little bit is that if you have like an office printer, like a network printer, and they need to be able to print to that, then you would need to put in some rules to do that. So think of the zero trust model is basically a way to put devices on your network and specify directly of what resources they should have access to. Now, zero trust is all the rage and so as always, I like to give A little bit about how did we get here. So it's one of those buzz words that I can tell you. Now, if I'm cruising the internet, some of these technical sites, I'll get all kinds of advertisement for zero trust. And like I said, it's, it's not a piece of software, it's more of a methodology of which I highly support. But it's not new. Right? So in 1994, a guy by the name of Stephen Marsh, he coined the phrase zero trust at the University of Stirling. Now, if you think about a 1994, we've talked about this another podcast of you know, how the Internet came to be. And when people started using the internet, so this guy, he was already thinking about zero trust back in 1994. Now, that's before, you know, a lot of offices were networked and, and everybody had a computer on their desk. So going forward, we find out in 2010, Joseph curve egg of the Forrester group, now, Forrester, they're a research and analyst arm. And so if you're involved with cybersecurity, then you know, Forrester is a big deal. But what he did was he started laying down stricter policies and stricter framework for zero trust and 2010. And then, of course, in 2018, the government's cybersecurity research folks of the NIST Now, if you're not familiar with NIST, NIST stands for the National Institute of Standards and Technology. And these are the brainiacs that work for the government. So they started talking about the zero trust, and how it should be implemented. And then in 2019, the UK National Cybersecurity Center, they actually started recommending that network engineers and network professionals start down this zero trust model. Now, like, like a lot of technology, we have a lot of visionaries that started this and had the vision of a zero trust way before it became cool. So from 1994, up until 2019, that was kind of the incubator times for this zero trust. And then we all know what happened with COVID. Right? Everybody went home, you had all these folks that were interconnecting. And now, zero trust became even more important because you have company resources at people's houses, on their home network. And, you know, the companies don't know, could the laptop or device become infected on the home network. And then when they VPN into the corporate network, they spread that divide the viruses. And so for network administrators, this was a rough thing, right? How do you have these devices that are on these, you know, you want to call them all in 10 purposes, a dirty network, and now they're going to come onto your corporate network virtually. And you want to make sure that you limit what those devices can access? So I know in industry, a lot of my friends, they started going through like, holy moly, how do we, how do we protect against this, you know, it's one thing if they got their laptop, and every now and again, you know, they work from home and stuff, and now you got people full time working from home. And I don't want to get into too many technicalities of this. But another major thing that happened when everybody started working from home, they had a huge increase of traffic coming into the corporate network, because a lot of the VPNs were set up in what they call full tunnel mode. And full tunnel mode means all the traffic right, no matter what, if you're going to Google then that company device was going to make its way through the VPN and go out the corporate firewall to Google. Well, you can imagine 1000s and 1000s of people working from home, that was something that just did not scale out, because all of their internet traffic was coming through. So they implemented something called split tunneling, and split tunneling and want to really tread lightly here and not get too technical split tunneling meant that the person's working from home and if they went to Google or any site out on the internet, they would go out through their home connection, but then if they needed to access a company resource, then they would go through the VPN connection, right? So that's called split tunneling. And what made that become a real threat is is that now someone could go to a website on their corporate device. And let's say that website had zero day on it so it wasn't detected by the antivirus installed, and so that computer would get compromised while there's also it has a link to the corporate office and so someone could come down to that device and then tunnel in To the network is called split tunneling, right. And so that really had a lot of my friends and industry start thinking, Hey, we got to get the zero trust model down. And so one of the programs that I recommend is one called Zero tear. Now these guys have been around for a long time, I actually met out with them whenever I was out at BlackHat. And DEFCON actually met them over on the DEF CON side. And these guys have been doing zero trust for a long time. And also too, it's a software defined Wan, which we can get into more of that later. But they really do a good job, I say they do an excellent job for people that don't want to go out and hire a whole big staff to do this zero trust and you know, that just need to have basically, folks that are working from home, but then come to the office sometimes. So you can download their software and put it on the computer. And what that will do is basically give you a way to implement zero trust. Now we're not going to get into all the details of it. But if anybody's looking to implement a zero trust network, then I would recommend zero tear. So we're approaching the bottom of the half hour here. And as always, I like to thank everybody that has rode along here as we cruise the highways and byways of cyberspace. And like I said, sometimes these episodes may dabble a little bit on the technical side. But if you can just take one little small nugget away from each one of these, then I think that I'm doing my job. So just to sum it all up. Basically, in the old days, we had the old castle and moat system. And now we need to move to a zero trust system. And very simply is hey, you can come on come on in the castle. But we're only going to give you access to the things that you need to have access to. And we're going to block everything else. Pretty simple. And if you need to get to that resource, and it's blocked, then your friendly network administrator, I'm sure will be more than happy for you to put in a request and they will unblock that resource. And also to one of the dividends that zero trust serves not just to you know, I'm not saying that you won't ever fall victim to crypto ransomware if you have zero trust, but one of the things zero trust does is allows for you to show your auditors, if your industry is one that is under the you know, the scrutiny of auditors. You know, a lot of times they want to see your firewall rules and how you protect your network. And as soon as you start down the path of you implement a zero trust system. Trust me, the auditors are like, okay, these people know what they're talking about. And they can produce whatever artifacts they need during those audits. So like I said, if anything implemented at your house, on your guest network, to let those folks get directly out to the internet and not touch your internet of toys or TVs are anything that your house and if you're at your small business, just do the same thing and put people on that guest Wi Fi network until they actually have a business need to get on the other side of the network where they can, you know, have more access to devices and stuff. So as I say Rome was not built in a day and neither was cybersecurity, as we've testament to during these podcasts. So with that, I will see everybody next week. And if you have any questions, comments or concerns, you can reach out to me via the various channels and I will try to get back to you as soon as possible. See you soon