By Ray Birch
ST. PETERSBURG, Fla.—As credit unions focus on locking down user identities with more sophisticated solutions to protect their systems, such as biometrics, are they overlooking another avenue for crooks to gain access to their networks?
One security expert believes that is exactly the case at many CUs, as well as numerous other businesses across all industries.
Gene Fredriksen, VP, CIO at PSCU, said organizations are not paying close enough attention to protecting their systems’ machine identities—servers and workstations—giving criminals a new and growing way to penetrate the walls of organizations.
“Anything that affects the user or member experience takes top priority today,” said Fredriksen. “I don’t want to say that people don’t care (about machine identities); it’s just that given the extreme workload and priorities, this needs more attention going forward.”
Certificates on machines are used to facilitate security and ensure that the connection is legitimate. If a criminal is able to steal a certificate, or spoof it, they would then be able to get into an organization’s network, Fredriksen explained. Once inside, the criminal could snoop through the organization’s database, gather intelligence, and perform what Fredriksen said are known as low-and-slow attacks.
“These are the attacks that are waged carefully, over some time,” he said. “They can be real threats.”
What One Study Found
Fredriksen pointed to a recent Forrester study that found 96% of companies believe effective protection of machine and human identities are equally important to the long-term security and viability of their companies. But it also found 80% of respondents struggle with machine identity protection.
“We have been so focused on protecting user identities that protecting machine identities has taken a back seat,” said Fredriksen.
Fredriksen’s stance is in line with what Venefi CEO Jeff Hudson reported regarding research his company recently performed.
“It is shocking that so many companies don’t understand the importance of protecting their machine identities. We spend billions of dollars protecting user names and passwords but almost nothing protecting the keys and certificates that machines use to identify and authenticate themselves,” Hudson said on the company’s website. “The number of machines on enterprise networks is skyrocketing and most organizations haven’t invested in the intelligence or automation necessary to protect these critical security assets. The bad guys know this, and they are targeting them because they are incredibly valuable assets across a wide range of cyber-attacks.”
Fredriksen said PSCU spends a lot of time and effort tracking and understanding all of the company’s machine certificates and their status.
“We are very proactive here,” he said.
To orchestrate an attack on a company by exploiting machine identities, it takes a crook with a high level of sophistication, said Fredriksen.
“But, as always happens, crooks get smarter, the tools they need get easier to access, and the process of forging a machine certificate is only going to get easier. That means more crooks will begin doing this,” he said.
A Knack for NAC
Fredriksen emphasized the importance of Network Access Control (NAC).
“This is a system that verifies the identity of a resource ‘fingerprint,’ which is more than just the certificate. It is a health check for a machine connecting to your network. If the machine does not pass the check, it is put into a quarantine area until the issues are resolved,” he explained. “While it is not a perfect system, it ensures that a machine meets all conditions for network connection before it is granted access to the connection where your corporate jewels lie.”
The other function a NAC system performs, noted Fredriksen, is to inventory the machines on an organization’s network.
“Unless an organization has sophisticated capabilities, it is probably not aware of all the connections on its network. Many of the major NAC vendors state that as much as 25% additional resources are found when the initial scan takes place. Why is this so critical? Because you cannot secure what you cannot see,” he said. “Networks are big and pervasive. People hook up all kinds of stuff to them, everything from wireless routers to who knows what. I am not saying that all these (additional connections to a system) are malicious. I am saying you need to do a full scan of your network to find every IP logged onto it.”’
Steps Every CU Can Take
Since NAC systems are expensive and require a significant effort, there are other things credit unions can do to help protect themselves that are less involved but still important, Fredriksen said, including:
- Implement a system to track system certificates and drive renewals: “You should, even on a spreadsheet, track your certificates, owner, location, expiration, etc. This will not only prevent certificate expiration outages, but also function as the gold list of authorized certificates,” he said.
- Implement a failover plan for certificate problems including a certificate provider compromise: “If you had to replace all the certificates in your environment, could you do it today in a controlled manner? Once replaced, do you have a process to validate whether they are working properly? Automated validation is a critical management capability that helps with ongoing management and security and demonstrates compliance.”
- Set up and enforce certificate security policies: “To keep machine identities safe, it is imperative to set up machine identity security policies and workflows. This helps govern every aspect of machine identities—issuance, configuration, use, ownership, management, security and decommission. Enforcing policies also ensures that every machine identity in your organization complies with relevant industry and government regulations. Automating the enforcement of machine identity policies ensures that organizations are maximizing the security of every machine identity the organization uses and ensures that it can produce audit-ready evidence when needed,” Fredriksen said.
Debate Over Status
Security expert Jim Stickley told CUToday.info that he believes network administrators and credit unions have the issue under control.
“I am betting the vast majority are not struggling to do this and just because they are not dedicating huge budgets does not mean they are not doing a proper job,” Stickley said, referring to Venafi research that said large budgets are not being directed to the certificate protection. “Contrary to Venafi's belief that organizations are not spending enough on this, spending more money does not directly relate to increased cyber security. If that were the case, corporations like Home Depot, Target and Anthem, who spend more money than God on security, would never have had a cyber security breach.”
But Fredriksen believes the problem is growing and will only worsen.
“If I had to rate this risk now, because of crooks needing a high degree of skill to pull this off, this is not as prevalent as the crime we see on the user authorization and access side. But this threat is growing, I believe. It’s that sliding scale—if we place a lot of effort to get to the point where personal identity access control is locked down and robust, the bad guys will just look to other avenues. So understand what is on your systems today, that is a good way to start.”