This article provides a practical plan for implementing PIV technologies to immediately bolster your cyber defenses. We have structured this plan to provide fundamental countermeasures against the latest cyber threats while also recognizing organizations require time to fully adopt PIV throughout their entire ecosystem. Therefore, all components of this plan can be implemented using vendor supported point and click configurations and do not require software code modifications. Advanced topics related to PIV software application fortification will be covered in a subsequent article.
Why the latest attacks are succeeding
The latest attacks originate in the form of: malware delivery, credential theft or compromise of an internet accessible system. These attacks work because of insufficient access control or message integrity validation where the attacker either surreptitiously obtained a credential or tricked a legitimate user into installing malware which permitted access to the system. Furthermore, these attacks go from bad to absolutely devastating because of the nature and volume of the data stolen. For example, an organization can rebuild a compromised network server, but they can never recall the intellectual property stolen or repair the negative psychological impact to their customers.
PIV as a countermeasure
Many security features of PIV are underutilized simply because their benefits have never been clearly articulated or explored. The fact is, the rigorous identity proofing protocols that a person goes through to even receive a PIV credential combined with the PIV credential authenticity technology features, provides a remarkably useful tool to stop most attacks before they can even get close to your organization. Below are some of the security features of PIV:
PIV Protection Plan
Our plan strategically implements PIV at critical locations in order to eliminate many of the popular attack pathways traditionally used to gain access. Our strategy is to mitigate the threats by 1) removing the attack launch points, 2) eliminating common credential theft schemes 3) removing traditional malware distribution channels, and 4) making the data worthless even if stolen.
Fortify boundary: Block any remote transaction that is not PIV based.
Eliminate passwords: Eliminate the password authentication option so that stolen passwords cannot be used.
Lock data: Make data unusable to those without a PIV credential.
Stop malware distribution: Only permit signed attachments from trusted parties.
PIV protection implementation steps
Our goal of this fundamental plan is to enable organizations to start protecting their infrastructures immediately with PIV credentials. Therefore, each of the following steps can be implemented through standard guidance from the vendor and will not require software code changes. For example, Microsoft active directory, Apache web server, Cisco VPN and Apple iPhone all support the use of PIV digital certificates via standard configuration.
|Block remote access (to non PIV users)||PIV Configuration Task: On your perimeter devices, force mutual authentication via client certificates and refuse any other traffic.
How this protects your organization: This element serves two purposes: 1) block non-PIV traffic so the attackers cannot even begin their attack protocols, 2) force multi-factor authentication to eliminate credential theft attacks. Now, anyone wanting to access your environment remotely must be forced to use their PIV credential. Therefore, attackers can no longer steal or guess passwords to give them remote access to your environment rending numerous attacks useless.
|Force client certificates for SSL||PIV Configuration Task: Within your web server’s configuration, require SSL and client certificates for all transaction. All other transactions without client certificates will be dropped.
How this protects your organization: This configuration forces anyone accessing your web site to have a trusted client certificate (PIV credential). Otherwise, the web server will completely refuse any further transactions. This countermeasure also eliminates many web based threat vectors because the attacker cannot even perform basic browsing commands without a PIV credential.
|Implement Active Directory Smart Card Logon||PIV Configuration Task: Within your active directory, configure smart card logon.
How this protects your organization: One of the highest value targets for an attacker is your active directory. The reason is, this repository contains the credentials for everyone in your organization which attackers can download and decrypt using a plethora of utilities. By using smart card logon with a PIV card, the end user must perform multi-factor authentication to gain access. So, even if an attacker gains access to your network, they must also have a trusted PIV card to authenticate. There are no longer easily decrypted passwords available for them to steal and use for impersonation.
|Digitally sign attachments||PIV Configuration Task: Utilize digital signatures for email and attachments.
How this protects your organization: Many of the most effective attacks have originated by an attacker sending a perfectly crafted, trustworthy email with malware embedded in an attachment. One of the most effective techniques is to force the use of PIV digital signatures for emails and attachments. This technique prevents an attacker from distributing malware because if they do not have a PIV card to sign the message, the message cannot be further distributed.
|Encrypt devices and laptops||PIV Configuration Task: Implement data encryption for laptops and devices
How this protects your organization: Devices and laptops often contain core organization data in clear text. Additionally, many of the computing platforms are used remotely from networks that may not be trusted or verified which can enable the device to be attacked. To mitigate this, the PIV credential should be used to encrypt the data on the end user devices.
|Encrypt database backups||PIV Configuration Task: Configure your database backups to be encrypted
How this protects your organization: Many organizations overlook their database archives. We have seen many occasions where the entire DB is simply moved to a different network share or even offsite to a different datacenter with no security on the archive. The attacker then simply downloads this data and can read this without even a password. By using PIV encryption, a valid PIV credential and PIN is required to view the data, thereby making the data useless to an attacker.
PIV technologies can provide extremely effective countermeasures to prevent system compromise and deter attackers before they even begin. However, these features must be adopted and utilized otherwise attackers are only one stolen password, malware infected email or stolen device away from completely devastating an organization and their customers with the next wave of cyber attacks.