As the IoT crisis intensifies, we are faced by an explosion of the machine population, and what goes unnoticed and unappreciated is that these machines have their own identities.
Identifying a machine carries the same importance as knowing who you are dealing with in a human security situation. You would not readily let someone walk in through your front door if you did not recognise them, but this is what is happening in the cyber world due to a lack of awareness.
While vast sums of money have been pumped into securing usernames and passwords to ensure the right human accesses the right information, certificates and keys have been neglected, and these govern the security of machine identities that take over once the human has signed in.
These identities can be compromised and used by hackers, to be worn as masks to slip through defences unchecked, or to take on a convincing façade of your bank or other trusted organisations. This threat is frightening and it is growing – Gartner forecasts that by 2020, half of all network attacks will be conducted using certificates that grant these machines their identities.
CBR spoke to the CEO of Venafi, Jeff Hudson, head of the company that is championing the better protection of machine identities. Speaking on the importance of identity, Mr Hudson said:
“If you think about the foundation of security, it is really identity, because if you can’t identify something, how can you protect it? You have got to be able to identify it. If I was the police and I was going to protect you out of 10 million people in the London area, I would have to identify you and know how to protect you. It starts with knowing you and who you are.”
However, the human identity and its role in cyber security has been much talked about in recent times, what Mr Hudson is talking about is completely different – and yet intrinsically linked to the identity problem plaguing the security landscape.
It is machine identity, not human identity which Mr Hudson is championing, arguing that each machine in a chain of processes has its own identity – an identity which can be seized and exploited by malicious actors.
Giving an insight into the world in which machines communicate with one another, using the example of a mobile phone, he said:
“That phone doesn’t use usernames and passwords, it uses machine identities. It uses keys and certificates to communicate back to a wireless access point, to a router, to a gateway to a server to an application – that’s all machine identities. So there are people identities, and there are machine identities so that all of those machines can talk to each other.”
A recent example of machine identify being exploited is the recent hack of a Brazilian bank which was able to completely debilitate the bank’s capabilities, taking complete control. Hackers seized all 36 domains required by the bank, while also using the position to launch malware attacks on customers of the bank.
“What the attackers did is they got a DNS, they changed that so people would go to a fake website, and then they made that fake website look exactly like the bank’s real website. What they did is they got a certificate that turned on a little green lock that said you are at the bank’s website. People would go to it, and even the smart people would say ‘Oh, green lock, that’s the banks website address and a green lock, I’m good’. But it was the bad guys’ website; it wasn’t the bank’s website.”
Outlining the technology that Venafi have created to guard against this threat, Mr Hudson said: “This is about creating a system that can tell if machine identities are to be trusted or not, creating them in a way that they can be trusted, and keeping track of them, and getting rid of them when they can’t be trusted – and that is the technology we have created.”
Despite the low general awareness of this cyber security threat, there has been rumblings of the dangers of exploited machine identities. Certificates have been in the news with Google criticising Symantec for the mississuance of thousands of certificates, clearly indicating Google’s concern surrounding the security of machine identities.
“Could we stipulate that Google probably knows more about the internet than anybody? So what Google did is they said to the world, and to Symantec, you have issued roughly 35,000 machine identities, called certificates, that were not issued according to policy. We have a policy, we have all agreed to this, and you have done it outside of this, and we are going to invalidate it.” Mr Hudson told CBR.
In the same motion Google significantly reduced the lifespan of a certificate issued by Symantec down to 279 days from a previous duration of three years. This is also indicative of raised concern regarding the security of machine identities, and the realisation that the more frequent the refreshment of certificates, the more secure the identity.
“Google is not doing this because it’s convenient; Google is doing this because they want a more secure world. They don’t want to have to have Google’s services looking like the bad guys are using them,” said the Venafi CEO.
For Mr Hudson, Venafi’s work is all about trust, with the CEO concisely explaining that it “is about creating a system that can tell if machine identities are to be trusted or not, creating them in a way that they can be trusted, and keeping track of them, and getting rid of them when they can’t be trusted.”