Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security – Hashed Out by The SSL Store – Hashed Out by The SSL Store

admin on June 24, 2020 Leave a Comment

With 74% of surveyed CFOs saying they intend to move at least 5% of their on-site workforces to remote positions after the current pandemic, properly managed PKI is more important than ever

Disney World may have closed its doors, but theres a new fantasy land that opened up and its making many hackers dreams come true.

Thousands of fresh-faced wait, I dont have a desk or chair at home; how long are we going to be out of the office; hey, youre on mute; sorry, my dog is barking employees suddenly need remote access to applications and networks from laptops, smartphones, and employee-owned devices.

That means a more opportunities for malicious actors to target. So, how can PKI ruin their good time and help secure this new remote workforce?

Lets hash it out.

Public key infrastructure (PKI) doesnt have fancy LEDs or logos on it. You cant walk into the data center and see how it was clearly worth the money the way it shines in your 48U server rack. But PKI is like that: its quiet, unassuming and 100% critical to your success.

The enterprise security world is no longer just a firewalled network stack. Zero Trust is what the cool kids are doing, and according to the National Institute of Standards and Technology (NIST), PKI is a key component of a properly managed security environment.

Globally, many employees have been deemed nonessential and organizations have shuttered brick-and-mortar office spaces. Consequentially, both employees and organizations see benefits in having a larger remote workforce on a permanent basis. Theres a laundry list of studies done on remote work cost savings (probably a few funded by the global sweatpants manufacturer association) covering everything from office space to sick leave.

Over the past few months, many IT departments have been tasked (with less than a weeks time in many cases) with scaling networks and providing remote access to the applications and services that employees needed to do their job effectively. But are they secure?

There are some key weaknesses we can address right now:

Lets go over each step in more detail

Passwords are the most well-known layer of internet security, but theyre failing in several ways, including:

PKI authentication succeeds where password authentication fails because:

Pratik Savla, Senior Security Engineer at Venafi, did a great job summarizing the benefits of certificate-based authentication:

Certificate-based authentication is based on the X.509 public key infrastructure (PKI) standard. It offers stronger security compared to other forms of authentication by mutually authenticating both the client, (via a trusted party CA Certificate Authority) and the server during the SSL/TLS handshake. In other words, both sides involved in the communication have to identify themselves, whether that is for user-to-user, user-to-machine, or machine-to-machine communication.

As this design involves exchange of digital certificates instead of a username and password, it helps in preventing phishing, key-logging, brute force as well as MITM (Man-in-the-middle) attacks amongst other risks commonly associated with a password-based design.

The estimated cost of both time and loss for organizations annually just on password issues is $5.2 million, according to the aforementioned Ponemon Institute report. Using PKI-based identity certificates changes the entire organizations burden of remembering, updating, and managing passwords.

Multifactor authentication: pretty spectacular and very, very secure, right? Not if you ask Twitter CEO Jack Dorsey. Malicious actors gained access to his personalTwitter account. Hackers used a SIM swap scam to spoof his account and receive the second layer of the MFA.

If youve ever signed into Gmail or attempted to access a secure banking site from an unrecognized browser that requires you to input a pin number sent through SMS, youve seen and used multi factor authentication. In many cases, this process reduces the chance of stolen identity, but in the case of remote working, it also adds an additional application, making things more complex for IT admins.

But you might be wondering, how much better are user ID certificates than phone-or token-based multi-factor authentication? Lets take a look at this comparison chart from Sectigo:

As this chart highlights, PKI is significantly better than passwords. Heres how Tim Callan, Senior Fellow at Sectigo, explains it:

A certificate in conjunction with a TPM is stronger than a shared secret with phone-based MFA.So changing from password plus phone-based MFA to client certificates (especially when TPMs are present, as they go a long way in securing the key from theft), is a definite step up Remember, the device itself (laptop, phone, tablet) can and should require a password to unlock.By mandating that requirement for devices attaching with certificates, the IT department has enforced a thing-you-have (certificate) and thing-you-know (device password) scheme.

Besides PKI-based certificates offering the strongest form of identity authentication, they also make connecting simple and easy for the remote workforce. An employees private key is stored directly in their device (ideally via a trusted platform module, or TPM), whether thats a laptop, smartphone, or tablet. The employee can open the needed applications and just work. What a novel concept right? Theyre authenticated with no extra steps!

Using manual processes to manage the certificates for even a few employees can be labor-intensive, technically demanding, and error prone. PKI is often underutilized and feared because of these exact issues.

In the words of the immortal Michael Scott: Why dont you explain it to me like Im 5? Can do. Heres how certificate-based authentication works in the work-at-home scenario were currently seeing:

During the SSL/TLS handshake between the device at home (or the beach, you rascal!) and the server at corporate, the device and server exchange pleasantries. This is just like a normal TLS handshake but with a couple extra steps:

The server will reject connection requests from any device that doesnt provide a valid, verified, and authorized client certificate.

The major certificate authorities all offer certificates that are suitable for use within a remote work PKI environment. Theyre referred to by a few names, such as:

Sectigo/Comodo Personal Authentication Certificates are a perfect example of the type of certificates that can be used for certificate-based authentication.

Managing PKI at scale is usually not viewed as an easy process, but, fortunately, there are tools that enable automation across the certificate lifecycle. Properly managed automation permits your IT security group to issue, revoke, and replace certificates with ease. This can be done at scale both rapidly and dependably.

Equifax was the target of one of the largest data breaches in history. This breach almost assuredly could have been avoided with the use of properly managed PKI automation. After a thorough investigation, the Government Accountability Office determined:

Equifax did not see the data exfiltration because the device used to monitor [the vulnerable servers] network traffic had been inactive for 19 months due to an expired security certificate.

It apparently took them a couple more months to fix the issue, after which they immediately noticed suspicious web traffic. Because of user error, the breach cost Equifax $1.14 billion in 2019 alone.

The total cost of implementing PKI automation not only saves you the headaches and costs associated with downtime and noncompliance, but it also gives your IT team back the valuable time that they need to work on higher-level tasks that will benefit your company in other ways. When you understand and can quantify revenues, costs, compliance and risk, PKI automation becomes a valuable tool without equal.

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

The global situation is changing rapidly, and its difficult to predict what will come in the coming weeks or months. On March 16, 2020 the U.S. government issued a set of guidelines for 15 days to slow the spread of a pandemic virus. Almost 90 days later, Im completing this article and have yet to go back to my office.

There are many companies who assume they may never go back to a regular office setting. There are reports daily that malicious activity targeting remote workforces is increasing exponentially. Unfortunately, economies are still teetering on edge, the food supply chain is being drastically affected, and there is growing sense of desperation.

But in the midst of all this, cybercriminals arent taking a vacation. In fact, theyre using Coronavirus-themed scams to target potential victims. A few weeks into the pandemic, major dark web hacking groups were promising not to hit healthcare targets. But as of the writing of this article, the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal lists 2,961,860 individuals whose personal information has been affected by hacking or unauthorized access since the first reported case of COVID-19 in the U.S. (The first reported case in the U.S. was dated Jan. 20, 2020.)

While the topic of this article is placing the pandemic as top of mind, these are tools that can protect organizations no matter what the outside environment looks like. The sooner that organizations can deploy properly managed PKI authentication to users and devices in the network, the sooner their remote workforces can have peace of mind. Even if that peace of mind is wearing sweatpants and hasnt had its nails done or a haircut in three months.

Read more from the original source:
Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security - Hashed Out by The SSL Store - Hashed Out by The SSL Store

Related Posts
Posted in Internet Security

Comments are closed.