Along with much of the tech world, GlobalSign is celebrating World Wide Web Day. World Wide Web Day is a day of appreciation for the connectivity we have built through the advent of the internet and the ability to browse and access information freely.
As well as free, open access to endless information, the internet has afforded enterprises faster, globalized communication, greater efficiency in day-to-day business conduct and finance management, and the ability to adopt sustainable hybrid and distance working models to connect businesses and their employees from around the world. The list could go on. With greater efficiency, speed and connectivity for us however, this also leaves our systems and our digital identities exposed to malicious attacks from bad actors.
For World Wide Web Day, GlobalSign is taking a closer look at digital identity and how we can continue to utilise the World Wide Web for enterprises while keeping our digital identities safe.
What is a Digital Identity and Why Does it Need Protecting?
A digital identity could be anything; it is the digital representation, or footprint, of a user, object (e.g. document), or service. Examples of a digital identity include; a digital certificate on a website, an identification, or as simple as an email. It depends on the context and how strictly the authorization and verification needs to be.
There are three main components to a digital identity:
- Details of the person, object or service which needs to be identified
- A third-party, such as GlobalSign, to verify the identity
- Lastly, trust. The user need to trust the identity being provided.
Learn more about digital identity in our webinar
As we innovate new ways to improve our online experiences and operate businesses more efficiently, so too will bad actors innovate new ways to disrupt this.
Attackers have repeatedly demonstrated their capabilities in identifying and exploiting weak spots within our systems, such as the infamous WannaCry ransomware attack in 2017 that halted the operation of the entire NHS, or the more recent Clop attack this year that breached a number of household name enterprises to gain access to their payroll and other critical information.
Leaving a digital identity unprotected can expose the operation of an entire business.
Attacks like these, however, do not just affect the business itself and can result in financial and legal problems as well as affecting the individuals who have had their personal data accessed without their consent.
Under GDPR, if a business find itself under an attack which results in a data breach, they can face fines of up to €20 (£17.5) million or 4% of annual turnover (whichever is greater), as well as managing the personal fallout for the individuals impacted by the breach.
3 Places to Identify Common Security Weaknesses in Enterprises
1. The Cloud
The Cloud is one of the key innovations of the 21st Century, and has come to be adopted into working models in businesses great and small, for just about everything from finance, to data storage, to project management and of course for the Internet of Things (IoT).
However, if not secured properly, the Cloud can be a hackers doorway to gaining access to organizational data through files and IoT devices, which can be left particularly vulnerable to compromised security devices or Denial of Service (DoS) attacks.
2. Email
Business Email Compromise (BEC) is a type of phishing attack that usually begins with emails that appear to originate from a known source, such as a supplier or even a colleague, detailing a change in contact or payment details, and they are becoming increasingly difficult to spot. Often the criminal has even done their research through targeted social engineering, making it easier to learn more about the victim, the company and lure you in. Phishing attacks have grown in their intelligence and more precise in their targeting in a short amount of time; the WannaCry scandal itself began with a phishing link in an email.
3. Web Domains
It is common practice for enterprises to operate the majority of their business from a webservice, but these can also be particularly vulnerable to numerous types of Domain Name System (DNS) attacks.
Through vulnerabilities in the code or poor authentication processes, criminals are able to control the site, access user and provider data, redirect users to malicious addresses or simply crash the site itself. For enterprises, the most common case would likely be to access critical pieces of data such as a user’s personal or financial data.
Preventative Measures
Even just briefly exploring all of the vulnerabilities that could lead to an attack on a digital identity can make the effort to protect it seem futile, but there are many ways to prevent this, namely through the use of Public Key Infrastructure (PKI). PKI refers to the use of a combination of public and private keys to secure and share information with only authorized parties, or digital identities.
-
SSL / TLS
SSL or TLS Certificates are built on PKI encryption to ensure end-to-end security for users when visiting web domains. This will protect the user’s identity through encrypting private information, while certifying that the domain is secure, which usually appears as https in the URL (the S standing for secure) or as a padlock in the browser.
Learn about Google’s proposal to shorten a certificate’s validity periods
- Multi-Factor Authentication
Multi-Factor Authentication (or Two-Factor Authentication), often used in conjunction with an application or Single Sign On (SSO), allows a user multiple ways to prove their digital identity when logging into a system or server, making it much more difficult to hack and compromise. This helps to ensure that only authorised parties are accessing Cloud stored data and IoT devices and is more secure than a single password.
Discover more about Multi-Factor-Authentication
- Email Encryption
Email encryption, such as S/MIME, secures emails by digitally signing them to prevent any changes to the email content in transit which protects any critical information from being lost or leaked. With digital signed emails, the sender is verified by a third-party and helps to provide trust that the email is from who sent it (and not a spoof).
Read our datasheet on secure email
- Certificate Automation
Certificate Automation is the most efficient way to manage digital certificates. Automating certificate management means that businesses can close security gaps by ensuring that certificates are renewed on expiration and not after, as well as making them easy to track so you can ensure that they are in line with latest compliance and regulations.
Final Thoughts
The best way to prevent an attack on digital identities, and ultimately protect the business, is to ensure that there are no gaps in security. When an attacker acquires one or a host of digital identities, it is often down to human error, or weak links within enterprise systems. Reinforcing potential weaknesses can prevent attacks and enable the continued operation of business online.
Here at GlobalSign, digital identity is what we do. Through a host of digital identity services, we provide trust to organizations in securing their endpoints, documents, data and more.