Almost all businesses get targeted at nearly the same rate as large corporations when it comes to cyber-attacks, says Verizon’s 2021 Data Breach Investigations Report (DBIR). Why does this matter? Because there are key elements of data security that both big and small businesses are missing—that attackers seem to know and exploit. And with the proliferation of all types of machines across the company, the point of entry is typically a machine identity—be it an expired certificate, a stolen login or a cracked credential.
The following recommendations will help you uncover weak areas that leave your machine identities exposed and help you fix them before attackers can take advantage of them. In today’s threat landscape, attack is not so much a matter of if but when.
Gain complete visibility over all certificates and other machine identities within your organization. To do this, you can complete a scan and see if there are any missed by your PKI admins. Remember, the persistent creep of Shadow IT (more about this later) could mean some certificates are languishing, expired or simply hiding in various departments, so find a certificate management platform that can scan the entirety of your network. It is best to avoid tracking expiration dates, certificate keys and passwords on archaic spreadsheets, sticky pads or in your admins’ notepad.
- Network Segmentation
Throw hackers off by segmenting your network. A security-by-design feature, it takes your singular network and makes it look like multiple ones to the outside. This makes it difficult to breach your network as a whole, because each part must be breached separately. It also adds visibility as you can manage each piece, decreases the attack surface as each segment has its own hardware, and increases incident response efficiency. Save space on your server by looking into private cloud options with dedicated servers to host your segmented network parts.
- Data in Transit Encryption
Encrypt your data in transit using at least TLS 1.2 or greater—ideally TLS 1.3. This prevents compromise should an attacker gain entry to your infrastructure or the infrastructure between the sender and receiver. This can apply to web-based services such as forms, login screens and upload/download capabilities. A WAN service, TLS or IPsec VPN gateway or bonded fiber optic connection can also be utilized, given proper configurations and considerations.
Properly authenticate all machine-to-machine (M2M) communications. While usernames and logins authenticate users, leverage appropriate authentication protocols to authenticate machines. You can use a private PKI, be your own Certificate Authority, and utilize mutual authentication based on public/private key pairs for SSL/TLS.
- Access Control Policies
Establish access control policies determining who can access what. NIST defines access control policies as “high-level requirements that specify how access is managed and who may access information under what circumstances.” According to Verizon’s 2021 Data Breach Investigations Report, privilege abuse is the primary cause of data breaches. Just-in-time access is one way of minimizing standard access permissions to improve data security. Ultimately, “a state of access control is said to be safe if no permission can be leaked to an unauthorized, or uninvited principal.” NISTIR 7316, Assessment of Access Control Systems explains some common access control policies and mechanisms available.
- Shadow IT
Establish strong policies to mitigate your Shadow IT. Well-intentioned employees from all different departments (outside of IT) spin up certificates, purchase and deploy SaaS solutions but aren’t trained to know when or how to renew or manage them. Hence, a lot of unaccounted for certificates and digital identities lie around as liabilities: they could expire and serve as a vulnerable attack vector into the organization. Hence, scans and visibility are key for keeping ahead of the spread of Shadow IT.
- Incident Response
Ready an incident response plan in case your organization is breached. If your organization is at the receiving end of a phishing scam or nation state attack, be ready with the proper protocols. NIST SP 800-61 outlines incident response policies as preparation, detection, containment, investigation, remediation, and recovery –with the CISO or Privacy Officer as owner.
It’s critical that you continuously monitor your cybersecurity posture—including machine identities. Traditional monitoring tools use a point-in-time method, which can become outdated before the next snapshot. Some elements for a continuous monitoring strategy are threat prioritization, monitoring tools with SIEM and GRC capabilities, a patching schedule and a culture of cyber awareness. Current tools also utilize AI to find trends in suspicious activity.
Automate your solutions wherever possible. Forester notes that “orchestrating the creation, provisioning, rotation, renewal, and replacement of machine identities tasks manually is nearly impossible, given the rapid increase in volume of machine identities and the velocity of changes affecting them.” Automating as a rule, not an exception, is state-of-the-industry and best practice. To that end, Venafi’s solution provides visibility, monitoring and automation for your company’s machine identity management.
Foster a culture of cyber awareness among your workforce. Employees are more likely to stay vigilant if they know what they’re looking for, and why it’s important. Building a cyber-open workplace and culture of quick remediation can set the standard for high data safety and a zero-trust environment.
If you can’t account for all your machine identities, a criminal would be happy to do the double-checking for you. This list, while not conclusive, should give you a good start on your road to machine identity risk mitigation. As Jeff Hudson, Venafi CEO states, “We spend billions of dollars protecting usernames and passwords, but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves. The number of machines on enterprise networks is skyrocketing and most organizations haven’t invested in the intelligence or automation necessary to successfully manage these critical security assets.” With these solutions in place, chances are a cyber attacker will move on to greener pastures.
To ensure your company has a smooth digital transformation, investing in cyber security solutions such as the Venafi Trust Protection Platform, to fully automate the process of machine identity management is highly recommended.