Greg Abrenio

How to Use PIV as a Cyber Defense Tool

/0 Comments/in /by

This article provides a practical plan for implementing PIV technologies to immediately bolster your cyber defenses. We have structured this plan to provide fundamental countermeasures against the latest cyber threats while also recognizing organizations require time to fully adopt PIV throughout their entire ecosystem. Therefore, all components of this plan can be implemented using vendor supported point and click configurations and do not require software code modifications. Advanced topics related to PIV software application fortification will be covered in a subsequent article.

Why the latest attacks are succeeding

The latest attacks originate in the form of: malware delivery, credential theft or compromise of an internet accessible system. These attacks work because of insufficient access control or message integrity validation where the attacker either surreptitiously obtained a credential or tricked a legitimate user into installing malware which permitted access to the system. Furthermore, these attacks go from bad to absolutely devastating because of the nature and volume of the data stolen. For example, an organization can rebuild a compromised network server, but they can never recall the intellectual property stolen or repair the negative psychological impact to their customers.

PIV as a countermeasure

Many security features of PIV are underutilized simply because their benefits have never been clearly articulated or explored. The fact is, the rigorous identity proofing protocols that a person goes through to even receive a PIV credential combined with the PIV credential authenticity technology features, provides a remarkably useful tool to stop most attacks before they can even get close to your organization. Below are some of the security features of PIV:

  • Enables deny all by default security policies: Many organizations must keep services available to anyone on the internet. For example, they allow a web browser or VPN connection to be accessed by anyone so that they can reach the password entry screen. With PIV, new cryptographic controls can be implemented to only let those with a valid PIV credential to even access the sign on page. This is critical because now the organization can block anyone without a PIV credential before they can even get to your services.
  • Prevents credential theft: Every relevant attack we have analyzed involves some form of credential theft from an identity repository. Subsequently, these credentials are used by the attacker to masquerade as a legitimate user rendering security systems useless. With PIV, the credentials are only stored in a tamperproof container that is physically possessed by only the approved PIV user which can only be accessed with their biometric or PIN. Therefore, by using PIV, attackers no longer have the luxury of stealing credentials from an identity database.
  • Permits trusted communications: Many attacks occur because a well-intentioned user receives a message from a seemingly trustworthy person and they open an attachment that launches malware. It is critical to understand that these new generation of attacks use a combination of social media harvesting, consumer behavior pattern analysis and psychological trust features to actually make the user believe they are helping their organization by opening a message. By using PIV, an organization can only allow attachments that have been signed by a valid PIV credential to enter their organization thus drastically decreasing the potential of a user accidentally distributing malware.
  • Locks down Devices: Many attacks will focus on business partners, home networks or actual theft of a physical device such as a laptop or mobile device. By using PIV technologies, data can be encrypted so even when someone outside of the control of your security is breached, your data can remain safe.
  • Makes data unusable to attackers: Even if the data is stolen, data is useless unless you possess the PIV card and PIN that encrypted the data.

PIV Protection Plan

Our plan strategically implements PIV at critical locations in order to eliminate many of the popular attack pathways traditionally used to gain access. Our strategy is to mitigate the threats by 1) removing the attack launch points, 2) eliminating common credential theft schemes 3) removing traditional malware distribution channels, and 4) making the data worthless even if stolen.

Fortify boundary: Block any remote transaction that is not PIV based.

Eliminate passwords: Eliminate the password authentication option so that stolen passwords cannot be used.

Lock data: Make data unusable to those without a PIV credential.

Stop malware distribution: Only permit signed attachments from trusted parties.

PIV protection implementation steps

Our goal of this fundamental plan is to enable organizations to start protecting their infrastructures immediately with PIV credentials. Therefore, each of the following steps can be implemented through standard guidance from the vendor and will not require software code changes. For example, Microsoft active directory, Apache web server, Cisco VPN and Apple iPhone all support the use of PIV digital certificates via standard configuration.

Need advanced PIV integration help? We have expertise in PIV application integration, single sign on and biometric technologies to help with advanced PIV usage needs. Contact us to find out more.
Component Implementation Description
Block remote access (to non PIV users) PIV Configuration Task: On your perimeter devices, force mutual authentication via client certificates and refuse any other traffic.

How this protects your organization: This element serves two purposes: 1) block non-PIV traffic so the attackers cannot even begin their attack protocols, 2) force multi-factor authentication to eliminate credential theft attacks. Now, anyone wanting to access your environment remotely must be forced to use their PIV credential. Therefore, attackers can no longer steal or guess passwords to give them remote access to your environment rending numerous attacks useless.
Force client certificates for SSL PIV Configuration Task: Within your web server’s configuration, require SSL and client certificates for all transaction. All other transactions without client certificates will be dropped.

How this protects your organization: This configuration forces anyone accessing your web site to have a trusted client certificate (PIV credential). Otherwise, the web server will completely refuse any further transactions. This countermeasure also eliminates many web based threat vectors because the attacker cannot even perform basic browsing commands without a PIV credential.
Implement Active Directory Smart Card Logon PIV Configuration Task: Within your active directory, configure smart card logon.

How this protects your organization: One of the highest value targets for an attacker is your active directory. The reason is, this repository contains the credentials for everyone in your organization which attackers can download and decrypt using a plethora of utilities. By using smart card logon with a PIV card, the end user must perform multi-factor authentication to gain access. So, even if an attacker gains access to your network, they must also have a trusted PIV card to authenticate. There are no longer easily decrypted passwords available for them to steal and use for impersonation.
Digitally sign attachments PIV Configuration Task: Utilize digital signatures for email and attachments.

How this protects your organization: Many of the most effective attacks have originated by an attacker sending a perfectly crafted, trustworthy email with malware embedded in an attachment. One of the most effective techniques is to force the use of PIV digital signatures for emails and attachments. This technique prevents an attacker from distributing malware because if they do not have a PIV card to sign the message, the message cannot be further distributed.
Encrypt devices and laptops PIV Configuration Task: Implement data encryption for laptops and devices

How this protects your organization: Devices and laptops often contain core organization data in clear text. Additionally, many of the computing platforms are used remotely from networks that may not be trusted or verified which can enable the device to be attacked. To mitigate this, the PIV credential should be used to encrypt the data on the end user devices.
Encrypt database backups PIV Configuration Task: Configure your database backups to be encrypted

How this protects your organization: Many organizations overlook their database archives. We have seen many occasions where the entire DB is simply moved to a different network share or even offsite to a different datacenter with no security on the archive. The attacker then simply downloads this data and can read this without even a password. By using PIV encryption, a valid PIV credential and PIN is required to view the data, thereby making the data useless to an attacker.

Conclusion

PIV technologies can provide extremely effective countermeasures to prevent system compromise and deter attackers before they even begin. However, these features must be adopted and utilized otherwise attackers are only one stolen password, malware infected email or stolen device away from completely devastating an organization and their customers with the next wave of cyber attacks.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.