PIV security frays under the crush of telework

Cyber criminals and attackers are adapting to the shifting identity authentication gaps on federal and commercial networks created by the remote work environment, according to federal security experts.

In the last six months, said Sean Connelly, Trusted Internet Connection (TIC) program manager at the Cybersecurity and Infrastructure Security Agency, the attack vector on federal and commercial networks has changed at the expense of older security measures.

With the traditional TIC 2 architecture's "castle and moat" style of cyber protections, said Connelly during a Sept. 22 Venable webcast on identity security, cyber criminals and attackers would look for buffer overflows, DNS and other weaknesses.

In the current work from home environment, attackers have shifted to more interactive techniques, trying to throw users off guard, according to Connelly.

"Now adversaries are trying to get you to click on something, like a social messaging app. How do you put security controls around a social messaging app?" he asked.

Fake social networking profiles aimed at gaining employees' trust, as well as cyber thieves creating fake login pages are also increasing, according to Connelly. "Those attacks are shifting everywhere traditional network security controls are not located," he said. "Many attackers are actually calling employees and encouraging them to logon to those fake pages and then grabbing their credentials from those pages," he said.

"Because we're not physically co-located anymore, there are a lot of authentication factors we used to assume, that we now can't use. If somebody calls the help desk, how are you going to verify them if they can't walk over and show you their CAC [Common Access Card], said Wendy Nather, head of advisory CISO, Duo Security at Cisco during the Venable event. "Those sorts of processes have been breaking down."

"Some of the things that we've long held as pretty strong controls like the PIV [Personal Identity Verification] and the CAC, they have weaknesses now because a PIV card requires an in-person validation, like a fingerprint. That is not as easy to do now," said Ross Foard, a senior engineer in CISA's cybersecurity division during the webcast.

CISA, he said, is using a card similar to a PIV card for new hires that has derived authentication that doesn't necessarily require an initial fingerprint from those new hires.

TIC 3.0 and Zero Trust can help federal networks adjust, but those technologies are emerging, according to the panelists, so network operators should be vigilant, said the experts.