{"id":12455,"date":"2020-06-17T13:14:10","date_gmt":"2020-06-17T17:14:10","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=12455"},"modified":"2021-11-19T13:14:42","modified_gmt":"2021-11-19T18:14:42","slug":"put-your-risk-on-mute-using-pki-to-simplify-remote-workforce-security","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/put-your-risk-on-mute-using-pki-to-simplify-remote-workforce-security\/","title":{"rendered":"Put Your Risk on Mute: Using PKI to Simplify Remote Workforce Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-with-74-of-surveyed-cfos-saying-they-intend-to-move-at-least-5-of-their-on-site-workforces-to-remote-positions-after-the-current-pandemic-properly-managed-pki-is-more-important-than-ever\">With <a href=\"https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2020-04-03-gartner-cfo-surey-reveals-74-percent-of-organizations-to-shift-some-employees-to-remote-work-permanently2\" target=\"_blank\" rel=\"noreferrer noopener\">74% of surveyed CFOs<\/a> saying they intend to move at least 5% of their on-site workforces to remote positions after the current pandemic, properly managed PKI is more important than ever<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Disney World may have closed its doors, but there\u2019s a new fantasy land that opened up and its making many hackers\u2019 dreams come true.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thousands of fresh-faced \u201cwait, I don\u2019t have a desk or chair at home; how long are we going to be out of the office; hey, you\u2019re on mute; sorry, my dog is barking\u201d employees suddenly need remote access to applications and networks from laptops, smartphones, and employee-owned devices<a>.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That means a more opportunities for malicious actors to target. So, how can PKI ruin their good time and help secure this new remote workforce?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-pki-is-the-meat-and-potatoes-of-your-remote-workforce-security\">PKI Is the \u2018Meat and Potatoes\u2019 of Your Remote Workforce Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-pki-a-crash-course-on-public-key-infrastructure-pki\/\">Public key infrastructure<\/a> (PKI) doesn\u2019t have fancy LEDs or logos on it. You can\u2019t walk into the data center and see how it was clearly worth the money the way it shines in your 48U server rack. But PKI is like that: it\u2019s quiet, unassuming\u2026 and 100% critical to your success.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The enterprise security world is no longer just a firewalled network stack. \u201cZero Trust\u201d is what the cool kids are doing, and according to the National Institute of Standards and Technology (NIST), <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-207-draft2.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">PKI is a key component of a properly managed security environment.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-can-we-effectively-secure-a-remote-workforce\">How Can We Effectively Secure a Remote Workforce?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Globally, many employees have been deemed nonessential and organizations have shuttered brick-and-mortar office spaces. Consequentially, both employees and organizations see benefits in having a larger remote workforce on a permanent basis. There\u2019s a laundry list of studies done on remote work cost savings (probably a few funded by the global sweatpants manufacturer association) covering everything from office space to sick leave.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Over the past few months, many IT departments have been tasked (with less than a week\u2019s time in many cases) with scaling networks and providing remote access to the applications and services that employees needed to do their job effectively. But are they secure?<a><\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are some key weaknesses we can address right now:<\/p>\n\n\n\n<ol class=\"wp-block-list\" type=\"1\"><li>Passwords can be secure, but our minds less so\u2026<\/li><li>Multi-factor authentication (MFA) is great \u2014 until it\u2019s not.<\/li><li>Strengthen security with certificate-based authentication tools:<ol start=\"1\" type=\"a\"><li>How certificate-based authentication works<\/li><li>What type of certificates do you need?<\/li><li>Automation of the certificate lifecycle is crucial<\/li><\/ol><\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s go over each step in more detail\u2026<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-passwords-can-be-secure-but-our-minds-are-less-so\">1. Passwords Can Be Secure, But Our Minds Are Less So\u2026<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Passwords are the most well-known layer of internet security, but they\u2019re failing in several ways, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Stolen passwords.<\/strong> Aggressors have gotten much better at deceiving employees and pirating passwords. According to the most recent <a rel=\"noreferrer noopener\" href=\"https:\/\/pdf.ic3.gov\/2019_IC3Report.pdf\" target=\"_blank\">FBI internet crime report<\/a>, business email compromise (BEC) scams caused the most damage in 2019 with adjusted losses of just over $1.7 billion. Business email compromise has had significant traction and targets both businesses and individuals. According to the same FBI report, \u201cthe scam is carried out by compromising legitimate business email accounts through <a href=\"https:\/\/www.thesslstore.com\/blog\/social-engineering-attacks-a-look-at-social-engineering-examples-in-action\/\">social engineering<\/a> or computer intrusion techniques.\u201d<\/li><li><strong>Shared passwords.<\/strong> So, passwords are a secret shared between the employee and the server, right? Unfortunately, passwords often aren\u2019t very secret. 69% of employees admitted to sharing passwords with colleagues to access accounts as indicated by the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.yubico.com\/wp-content\/uploads\/2019\/01\/Ponemon-Report-Infographic.pdf\" target=\"_blank\">2019 State of Password and Authentication Security Behaviors Report<\/a>, a study that was led by Ponemon Institute.<\/li><li><strong>Forgotten passwords.<\/strong> Besides the possibility of attacks, raise your hand if you\u2019ve ever forgotten a work password after a long vacation. Ok, EVERYONE can put their hands down now.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">PKI authentication succeeds where password authentication fails because:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The private key isn\u2019t sent to the server, meaning that it can\u2019t be intercepted or stolen in-transit.<\/li><li>Client certificates and keys (unlike passwords) can\u2019t be stolen via <a href=\"https:\/\/www.thesslstore.com\/blog\/10-types-of-phishing-attacks-and-phishing-scams\/\">common phishing attacks<\/a>.<\/li><li>Brute forcing a 2048-bit key is pretty much impossible \u2014 cracking a private key is like counting grains of sand at the beach, you can start but good luck finishing.<\/li><li>The tedious process of entering usernames or changing passwords becomes extinct.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Pratik Savla, Senior Security Engineer at <a href=\"https:\/\/www.venafi.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Venafi<\/a>, did a great job summarizing the benefits of certificate-based authentication:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>\u201cCertificate-based authentication is based on the X.509 public key infrastructure (PKI) standard. It offers stronger security compared to other forms of authentication by mutually authenticating both the client, (via a trusted party \u2014 CA \u2014 Certificate Authority) and the server during the SSL\/TLS handshake. In other words, both sides involved in the communication have to identify themselves, whether that is for user-to-user, user-to-machine, or machine-to-machine communication.<\/em><\/p><p><em>As this design involves exchange of digital certificates instead of a username and password, it<strong> helps in preventing phishing, key-logging, brute force as well as MITM (Man-in-the-middle) attacks amongst other risks commonly associated with a password-based design<\/strong>.\u201d<\/em><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The estimated cost of both time and loss for organizations annually just on password issues is $5.2 million, according to the aforementioned Ponemon Institute report. Using PKI-based identity certificates changes the entire organization\u2019s burden of remembering, updating, and managing passwords.<\/p>\n\n\n<span style=\"display:none\" class=\"tl-placeholder-f-type-shortcode_15135\"><\/span>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-multi-factor-authentication-is-great-until-it-s-not\">2. Multi-Factor Authentication is Great<em> \u2014<\/em> Until It\u2019s Not<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Multifactor authentication: pretty spectacular and very, very secure, right? Not if you ask Twitter CEO Jack Dorsey. <a href=\"https:\/\/www.cnet.com\/news\/jack-dorseys-twitter-account-hacked\/\" target=\"_blank\" rel=\"noreferrer noopener\">Malicious actors gained access to <em>his <\/em>personalTwitter account<\/a>. Hackers used a <a href=\"https:\/\/www.consumer.ftc.gov\/blog\/2019\/10\/sim-swap-scams-how-protect-yourself\" target=\"_blank\" rel=\"noreferrer noopener\">SIM swap scam<\/a> to spoof his account and receive the second layer of the MFA.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019ve ever signed into Gmail or attempted to access a secure banking site from an unrecognized browser that requires you to input a pin number sent through SMS, you\u2019ve seen and used multi factor authentication. In many cases, this process reduces the chance of stolen identity, but in the case of remote working, it also adds an additional application, making things more complex for IT admins.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But you might be wondering, how much better are user ID certificates than phone-or token-based multi-factor authentication? Let\u2019s take a look at this comparison chart from Sectigo:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"597\" height=\"339\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/sectigo-chart-authentication.png\" alt=\"Graphic: A chart from Sectigo that highlights the advantages of user identity certificates.\" class=\"wp-image-12456 addshadow\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/sectigo-chart-authentication.png 597w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/sectigo-chart-authentication-300x170.png 300w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\" \/><figcaption>Graphic Source: Sectigo\u2019s <a href=\"https:\/\/sectigo.com\/uploads\/resources\/Sectigo_Home-Working-eBook_v12.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Three Ways PKI Can Help Secure the Remote Workforce<\/a> eBook<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">As this chart highlights, PKI is significantly better than passwords. Here\u2019s how Tim Callan, Senior Fellow at <a href=\"https:\/\/sectigo.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sectigo<\/a>, explains it:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>\u201cA certificate in conjunction with a TPM is stronger than a shared secret with phone-based MFA.&nbsp;So changing from password plus phone-based MFA to client certificates (especially when TPMs are present, as they go a long way in securing the key from theft), is a definite step up\u2026 Remember, the device itself (laptop, phone, tablet) can and should require a password to unlock.&nbsp;By mandating that requirement for devices attaching with certificates, the IT department has enforced a thing-you-have (certificate) and thing-you-know (device password) scheme.\u201d<\/em><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Besides PKI-based certificates offering the strongest form of identity authentication, they also make connecting simple and easy for the remote workforce. An employee\u2019s private key is stored directly in their device (ideally via a trusted platform module, or TPM), whether that\u2019s a laptop, smartphone, or tablet. The employee can open the needed applications and just work. What a novel concept right? They\u2019re authenticated with no extra steps!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-strengthen-security-with-certificate-based-authentication\">3. Strengthen Security with Certificate-Based Authentication<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Using manual processes to manage the certificates for even a few employees can be labor-intensive, technically demanding, and error prone. PKI is often underutilized and feared because of these exact issues.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-how-certificate-based-authentication-works\">How Certificate-Based Authentication Works<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">In the words of the immortal Michael Scott: \u201cWhy don\u2019t you explain it to me like I\u2019m 5?\u201d Can do. Here\u2019s how certificate-based authentication works in the work-at-home scenario we\u2019re currently seeing:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During the SSL\/TLS handshake between the device at home (or the beach, you rascal!) and the server at corporate, the device and server exchange pleasantries. This is just like a normal TLS handshake but with a couple extra steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The client (device at home) sends its certificate and public key to the server.<\/li><li>The server verifies the client certificate before allowing the connection.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The server will reject connection requests from any device that doesn\u2019t provide a valid, verified, and authorized client certificate.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-what-type-of-certificates-do-you-need\">What Type of Certificates Do You Need?<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The major certificate authorities all offer certificates that are suitable for use within a remote work PKI environment. They\u2019re referred to by a few names, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Client certificates,<\/li><li>Device certificates,<\/li><li>User certificates, and<\/li><li>Personal authentication certificates.<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.thesslstore.com\/comodo\/personal-authentication-certificate.aspx\">Sectigo\/Comodo Personal Authentication Certificates<\/a> are a perfect example of the type of certificates that can be used for certificate-based authentication.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-automation-of-the-certificate-lifecycle-is-crucial\">Automation of the Certificate Lifecycle Is Crucial<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Managing PKI at scale is usually not viewed as an easy process, but, fortunately, there are tools that enable automation across the certificate lifecycle. Properly managed automation permits your IT security group to issue, revoke, and replace certificates with ease. This can be done at scale both rapidly and dependably.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.thesslstore.com\/blog\/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate\/\">Equifax<\/a> was the target of one of the largest data breaches in history. This breach almost assuredly could have been avoided with the use of properly managed PKI automation. After a thorough investigation, the <a href=\"https:\/\/republicans-oversight.house.gov\/wp-content\/uploads\/2018\/12\/Equifax-Report.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Government Accountability Office<\/a> determined:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>\u201cEquifax did not see the data exfiltration because the device used to monitor [the vulnerable server\u2019s] network traffic had been <\/em><a href=\"https:\/\/www.thesslstore.com\/blog\/the-equifax-data-breach-went-undetected-for-76-days-because-of-an-expired-certificate\/\"><em>inactive for 19 months due to an expired security certificate.\u201d<\/em><\/a><\/p><\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">It apparently took them a couple more months to fix the issue, after which they \u201cimmediately noticed suspicious web traffic.\u201d Because of user error, the breach cost Equifax <a rel=\"noreferrer noopener\" href=\"https:\/\/www.housingwire.com\/articles\/equifax-expects-to-pay-out-another-100-million-for-data-breach\/\" target=\"_blank\">$1.14 billion in 2019<\/a> alone. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The total cost of implementing PKI automation not only saves you the headaches and costs associated with downtime and noncompliance, but it also gives your IT team back the valuable time that they need to work on higher-level tasks that will benefit your company in other ways. When you understand and can quantify revenues, costs, compliance and risk, PKI automation becomes a valuable tool without equal.<\/p>\n\n\n<span style=\"--tl-form-height-m:861.156px;--tl-form-height-t:899.625px;--tl-form-height-d:899.625px;\" class=\"tl-placeholder-f-type-shortcode_12653 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-final-thoughts-on-remote-workforce-security\">Final Thoughts on Remote Workforce Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The global situation is changing rapidly, and it\u2019s difficult to predict what will come in the coming weeks or months. On March 16, 2020 the U.S. government <a rel=\"noreferrer noopener\" href=\"https:\/\/www.cnbc.com\/2020\/03\/16\/trumps-coronavirus-guidelines-for-next-15-days-to-slow-pandemic.html\" target=\"_blank\">issued a set of guidelines<\/a> for 15 days to slow the spread of a pandemic virus. Almost 90 days later, I\u2019m completing this article and have yet to go back to my office. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are many companies who assume they may never go back to a regular office setting. There are reports daily that malicious activity targeting remote workforces is increasing exponentially. Unfortunately, economies are still teetering on edge, the food supply chain is being drastically affected, and there is growing sense of desperation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But in the midst of all this, cybercriminals aren\u2019t taking a vacation. In fact, they\u2019re using <a href=\"https:\/\/www.thesslstore.com\/blog\/coronavirus-scams-phishing-websites-emails-target-unsuspecting-users\/\">Coronavirus-themed scams<\/a> to target potential victims. A few weeks into the pandemic, major dark web hacking groups were promising not to hit healthcare targets. But as of the writing of this article, the <a rel=\"noreferrer noopener\" href=\"https:\/\/ocrportal.hhs.gov\/ocr\/breach\/breach_report.jsf\" target=\"_blank\">U.S. Department of Health and Human Services Office for Civil Rights Breach Portal<\/a> lists 2,961,860 individuals whose personal information has been affected by hacking or unauthorized access since the first reported case of COVID-19 in the U.S. (The first reported case in the U.S. was dated Jan. 20, 2020.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While the topic of this article is placing the pandemic as top of mind, these are tools that can protect organizations no matter what the outside environment looks like. The sooner that organizations can deploy properly managed PKI authentication to users and devices in the network, the sooner their remote workforces can have peace of mind. Even if that peace of mind is wearing sweatpants and hasn\u2019t had its nails done or a haircut in three months.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With 74% of surveyed CFOs saying they intend to move at least 5% of their on-site workforces to remote positions after the current pandemic, properly managed PKI is more important&#8230;<\/p>\n","protected":false},"author":32,"featured_media":12457,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[12384,225],"class_list":["post-12455","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-remote-workforce","tag-security","post-with-tags"],"views":12377,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2020\/06\/remote-workforce-security.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12455","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=12455"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/12455\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/12457"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=12455"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=12455"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=12455"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}