The Digital Certificate Conundrum


Attacks on the telecoms industry underscores the need for proper machine identity management

Just last month, the US Cybersecurity and Infrastructure Security Agency (CISA) sent out an alert that Chinese hackers targeted and compromised “major telecommunications companies and network service providers” by exploiting “publicly known vulnerabilities”.

While the CISA didn’t name those impacted by Chinese state-sponsored hacking operations, it did warn organisations like Cisco, Fortinet, Netgear and others to provide necessary defenses against network device common vulnerabilities and exposures like remote code execution, authentication bypass, privilege elevation, remote injections and XML routing detour attacks.

Specifically, this attack shed light on the telecom industry’s major vulnerabilities. Telecoms are built in a way that relies too much on partners and carriers. Telecommunications companies, carriers, and the FCC are all attempting to secure our communications, but the harsh reality is that telecommunications firms falling victim to cyberattacks has tremendous ripple effects across the entire industry – including on consumers.

Machine identity management in the telecommunications industry

The majority of today’s data is no longer exclusively located on premises. The introduction of the cloud has resulted in most organisations relying on a hybrid approach to hosting their applications, with an average of three or more different clouds driving various applications in their infrastructure.

The cloud drove plenty of positive changes in the world and allowed for a complete overhaul of how we think about data and security, but organisations are still playing catch-up to modern solutions and are still struggling to manage and secure their applications across the enterprise properly.

Most enterprises manage more machine identities than human identities, and they can’t keep up.

In fact, the Solarwinds Hack was a result of Private Keys not being secure. The same private key that is part of the certificate infrastructure was used to sign the Solarwinds software.

Further, on July 1, 2022, legislation was introduced that would require the Cybersecurity and Infrastructure Security Agency (CISA) to investigate and report on the impact of the 2020 SolarWinds cyberattack on Federal agency networks and the US critical infrastructure. This legislation is called The Building Cyber Resilience After SolarWinds Act. CISA would work in consultation on the report with the National Cyber Director and the heads of other relevant Federal departments.

Telecom Companies are the backbone of all communication. Even emergency services rely on them for communications (Firstnet is owned/run by AT&T). The criticality of this utility is often taken for granted, especially the mobile providers. But what would happen if you have an emergency and 9-1-1 is no longer available, or the 9-1-1 dispatcher cannot reach EMS to dispatch them to your location? These services are often overlooked in their criticality, but lives may be at stake.

Today’s telecom organisations need a strategic machine identity management program that adheres to the best practices of each digital identity. The following are a few initiatives they can undertake to manage their IT infrastructure better and avoid further costly breaches.

Establish centralised locations for keys and certificates

Applications distributed across various on-premises and cloud servers will always require an SSL/TLS certificate to establish trust. Because of this, enterprises end up managing hundreds or even thousands of digital certificates and their private keys in their hybrid network infrastructures. This is mainly done using traditional management techniques and usually gets complicated. Adding to the problem, today’s IT and security teams are burned out and unable to keep up.

A big issue is that each certificate and the key is used by various teams within a given organisation in a different way and no one knows how each certificate is used, who is using it, and its expiration date. IT teams at telecom companies need to create one centralised location for every certificate and its keys to govern them better.

A centralised inventory of all digital keys and certificates can provide insight to IT teams into the various identities outside of the network (including the cloud) and what IoT devices each employee uses. This information can be crucial given today’s remote and hybrid work environment. And to discover more vulnerabilities, IT teams can also conduct regular security token audits.

Conduct inventory checks

You can’t really tackle a machine identity program until you have real visibility into your entire ecosystem. Organisations must first understand key details about each identity (expiration date, authority and where it’s located) before going any further.

IT teams can better understand the trust level of each machine by creating inventory lists of the various keys and certificates.

Leverage automation

Machine identity management has historically been a manual process – think spreadsheets or even physical paper lists – but these antiquated methods take up too much time and become ineffective because they are prone to errors.

You can keep machine identities up to date and effectively eliminate outages by automating certificate and key lifecycle management.

The ability to automate furthers security by removing human error from the equation. The risk of lack of consistency or mistakes on a one of basis is removed as with automation, everything is done the same in a repeated method.

Take control of your identities

It’s clear that nation-state attackers aren’t going to slow down in their attempts to access data and cause havoc inside American businesses, and telecom companies – as CISA warned – have to make concerted efforts to secure their data. They should start with taking control of identity management and modernising their practices to avoid being compromised by avoidable attacks.

If you liked reading this, you might like our other stories
All You Need To Know: Saudi Space Commission 
Unlocking Network-as-a-Service Opportunities In The Channel