Security Market Segment LS
Tuesday, 14 January 2020 00:47

No let up in cybercriminal attacks on machine identities in 2020 warns Venafi Featured


With a number of global certificate outages, malicious software backdoors and major data breaches, 2019 was a banner year for cybercriminals, according to machine identity protection provider Venafi which warns that security professionals should expect to see more attacks targeting machine identities throughout 2020.

According to Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, in many of the largest incidents in 2019, the cryptographic keys and digital certificates that serve as machine identities played a primary role in the breaches.

“Cybercriminals understand the power of machine identities and know they are poorly protected, so they target them for exploitation,” said Bocek.

“In 2019, organisations spent over $10 billion protecting human identities, but most are just beginning to safeguard their machine identities.

“This continues to be true even though the number of humans on enterprise networks remains relatively flat while the number of machines that need identities – including virtual machines, applications, algorithms, APIs and containers – is projected to grow exponentially in 2020.

“It’s inevitable that machine identity attacks will intensify in the coming year.”

Bocek predicts cybercriminals will pursue machine identities in three distinct ways in 2020 and says:

Compromise automatic software updates
Last year, the ASUS Live Update Utility service was successfully attacked by cybercriminals, which allowed them to load malicious code on over one million machines using the pre-installed automatic software update function. Attacks like these are likely to escalate in 2020 because many devices have a built-in automatic software update service, and when an update is signed with a legitimate code-signing certificate, these updates are automatically trusted. Unfortunately, because most organisations don’t tightly control code-signing keys and certificates, it’s easier for attackers to gain access and insert malware into the automatic software update process.

Ransomware Targets the Internet of Things (IoT)
Researchers have been detailing security flaws in IoT devices for years. In 2019, there were multiple product recalls on smart home devices due to critical security issues. While there hasn’t been a major security incident involving enterprise IoT, 2020 could be the year the pendulum swings the other way. Last year, ransomware attacks targeted individual machines in hospitals and local governments, which led to whole cities being taken offline. If these tactics expand beyond targeting specific machines to hold data for ransom, it’s reasonable to assume that attackers will expand the ransomware model to target larger groups of IoT devices, such as medical devices – including pacemakers and insulin pumps – or focus on other systems like traffic control. Compromised machine identities make it entirely possible to use code signing certificates to ‘kidnap’ IoT devices using malware or use TLS certificates to create zombies. It seems quite possible that we’ll see an entire IoT network held for ransom in 2020.

Seize on artificial intelligence (AI)
In 2020, algorithmic decision-making AI will become more mainstream. This will bring both opportunities and challenges, particularly around the transparency of AI algorithms. If organisations do not understand how some AI models work to reach specific decisions, it’s possible that bad actors will use this confusion to manipulate AI outcomes. Many AI models rely on blindly trusted machine identities. If machine identities are compromised, attackers can send malicious data streams that feed AI models. These types of attacks could have a wide-reaching impact on everything from predictive policing to financial forecasting.

“Machine identities are a relatively new, and very effective, point of attack because there is a huge gap between the security controls applied to human identities and those applied to machine identities,” says Bocek.

“In 2020, everyone – from CISOs to security architects and security practitioners – will need to prioritise the protection of machine identities in their organisations in order to reduce these very real security risks.”


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).



Recent Comments