New Delhi: With companies accelerating the adoption of Internet of Things (IoT) and connected devices, and cloud apps, to accommodate remote working during the pandemic, there are increasing instances of cyberattacks that leverage digital certificates and machines. has emerged as the weak link.
For example in February Lapsus$ Chipmaker launched a cyberattack into Nvidia’s internal systems and leaked its code-signing certificate online, which was used by other hackers to bypass the authentication protocol used by Windows Defender, which runs the Windows operating system. There is a security tool built into all versions of .
Gaming major Epic Games and certificate authority Let’s Encrypt also faced similar attacks in April 2022 and September 2021 respectively.
Just as human identities are protected by usernames and passwords to authenticate access, machine identities are protected by certificates. With the increasing COVID-led reliance on communication on connected devices, the number of machine identities has also exceeded human identities.
As a result, hackers are targeting a machine’s identity to steal passwords and user information by breaching a company’s internal systems. In fact, security firm CyberArk said in a recent report that machine identities now exceed human identities by 45 times. If these digital identities go unmanaged and not secure, it can lead to many different identities that are incompatible with each other, and pose a “significant” cybersecurity risk, as in the US’s cybersecurity Prateek Bhajanka, Expert and Vice President, Product said. Security testing firm Breachlock. “Identity can be stolen from any machine when the host is compromised. Say, in the case of IoT devices, when compromised, its identity can be stolen and when the access rights to the database are misused, So this can lead to data exfiltration.”
KV Deepu, Head of Operations and Customer Service at Bajaj Allianz General Insurance expressed similar views. “With digital transformation initiatives such as cloud migration and expansion of DevOps processes, the need for machine recognition has grown exponentially. Enterprises that fail to maintain the amount and diversity of machine identities can end up with dire consequences like data breaches, outages and much more,” he said.
“To avoid hacks, we ensure that access permissions are granted only on a need-to-know basis to authorized users with the permission.” Deepu said permission is granted after strong successful authentication controls. “We also control violations by denying all communication channels that are not essential,” he said.
A recent report by Venafi, a machine identity management firm, states that the average number of machine identities per organization reached around 250,000 at the end of 2021, a 42% increase from 2020.
Venafi Vice President, Security Strategy and Threat Intelligence Kevin Bosek said, “The unfortunate reality is that most organizations are unprepared to manage all the machine identities they need. This rapidly expanding gap has created a new attack surface. It has opened up — building the pipeline from software to Kubernetes clusters — and it’s very attractive to hackers,” he said.
Bosek said that an average organization will have more than 500,000 machines by 2024, but the problem is that IT teams use “multiple disconnected and manual tools” to track digital certificates.
“There are many ways to secure machine identities,” said analyst Mary Rudy, vice president at research firm Gartner. Enterprises should provide adequate guidance to developers, security and DevOps teams, by defining how the different tools in their technology stack How should they be or should not be used, and under what circumstances new equipment or instances may be deployed.
“In the age of zero-trust, the underlying principle belief is nothing, everything is valid. It is essential that CISOs build a solid machine identity management program,” said Bhajanka of Breachlock.