Close-up of a combination dial on an antique safe showing zero trust security

The Ocean’s Eleven Casino Vault Could Have Used Zero Trust Security

When Danny Ocean decides to rob three casinos in one night in Ocean’s Eleven, Rusty Ryan warns him that the plan would take at least a dozen team members doing a combination of cons: “I’d say you’re looking at a Boeski, a Jim Brown, a Miss Daisy, two Jethros and a Leon Spinks, not to mention the biggest Ella Fitzgerald ever.”

But all the swindling slang terms aside, the bypassing of security during their successful heist of the Bellagio vault came down to identity and perimeter defenses, the main vulnerabilities of network security—and exactly the weaknesses that zero trust methodology fortifies for organizations. Stick with us, the analogy gets better.

Experienced thieves like Ocean and Ryan didn’t choose identity and perimeter defenses as weak points by coincidence. In 2020, 61 percent of breaches involved credentials, the most common attack point by far according to the Verizon Data Breach Investigations Report. That’s because with perimeter-based network defenses, once a “trusted” user has their identity confirmed through a password, they’re implicitly trusted inside the network. That gives malicious actors all the latitude they need to wreak havoc.

This is why zero trust methodology doesn’t implicitly trust users inside a network, and expects that perimeter defenses can and will be breached. Instead, it requires continuous monitoring and verification of identity when trying to access new resources on the network. Casino owner Terry Benedict’s security certainly has some serious lapses in this regard, despite Ocean’s claim that the casino “houses a security system that rivals most nuclear silos.”

An identity phishing expedition

To pull off the caper, first the team has to get inside the casino cages, the backroom employee-only area. Twice they use stolen identities to enter this area, once when Livingston uses a stolen ID card and again when Linus assumes the identity of a Nevada Gaming Commission official, what in the network world we’d call “spoofing.”

Think of this as a phishing attempt—someone using identity spoofing to obtain credentials. Phishing has been one of the top actions in breaches for the past two years according to the Verizon report, used in more than one out of every three breaches in 2020 and “continues to walk hand-in-hand with use of stolen credentials in breaches.”

Simple human errors can lead to compromised credentials, too, like coworkers emailing each other passwords for resources or old accounts that haven’t been properly offboarded. Or in Benedict’s case, writing the password down and having it stolen right off him. According to a Centrify report, three out of four IT decision makers whose organization suffered breaches said it involved privileged access credential abuse, and 65 percent said they share root or privileged access to systems and data at least somewhat often.

Zero trust methodology built upon a foundation of strong identity access management (IAM) helps eliminate this problem through using single sign-on (SSO). Once identities are established for each user on a network in a unified directory, they use SSO to have secure access to the tools, applications and resources they need. Fewer passwords means fewer potential entryways for attackers.

Once inside the casino’s back rooms—i.e., inside the network—Linus is able to steal the six-digit code that changes every 12 hours for the doors inside the network. With that password in hand and no additional identity verification needed at those doors, he can move freely throughout the network.

Brute force attacks

Only once Linus gets to the elevator leading to the vault does he finally encounter something resembling zero trust security principles. The elevator won’t move without authorized fingerprint identification and vocal confirmation from both the main security office and the vault below.

This is multi-factor authentication (MFA) based on context- and risk-based policies, a key component of zero trust methodology. Because the vault is deemed sensitive, accessing it requires additional identity verification. On a network, attempts to access sensitive data or resources can be made to require this additional verification using based on level of risk—$150 million in a vault is pretty risky—and the context of the attempt, such as which device is trying to access it, the device’s geolocation, what time it is, and so forth.

Faced with this stronger security, the Ocean’s Eleven team instead has to use the equivalent of a network brute force attack to bypass perimeter defenses. They have to cut the power to disable the motion detectors in the elevator shaft, and then knockout gas for the guards and explosives to open the vault.

In the network world, brute force attacks either rely on weak credentials created by users, repeatedly guessing passwords until the correct one is found, or use methods such as denial-of-service (Dos) attacks that flood or crash services. Along with phishing, these kinds of attacks remain among the most common forms of attacks, according to the Verizon report.

The changing world of network

The security vulnerabilities we see throughout the Ocean’s Eleven theft are identity and perimeter defenses. In the past, passwords and perimeter defenses were a passable solution for a working world where employees would log into a workstation at their desk and have all their software locally installed and network resources accessible.

But today, people enter networks from a wide variety of endpoints like mobile devices, during remote work, and organizations use cloud-based applications, each with its own password, instead of locally installed software. Network users can also include people outside the organizations, such as contractors, outside vendors and customers. Perimeter-based defenses simply don’t meet today’s needs.

That’s why zero trust methodology is now the standard for security. It assumes perimeters can and will be breached. It relies on multi-factor authentication to check that users are who they say they are, and uses policies to trigger MFA whenever an organization deems it necessary. You could gamble with an antiquated security system. But in today’s world, it’s not the safest bet.