As we venture into the brave new world that is 2012, many are looking for where the biggest opportunities for hackers will lie. We all know history has a habit of repeating itself so, with the sweet smell of success still in their nostrils, it is a fair assumption that the black hats will stick to what they've proven works. What we need to do is change what we're doing to stop them. This article examines 2011's most disturbing IT security development, how certificate authority (CA) third-party trust providers have become the hacker target of choice. It details how it's happened and what we have to do to ensure we keep the bad guys out.
Probably the most disturbing data breaches of 2011 saw security companies themselves come under determined and sustained attacks. RSA and DigiNotar all fell victim to hackers, sending shockwaves through the security community. And only weeks into the new year we have had the belated announcement that VeriSign - another trusted third-party certificate authority - has been hacked and data breached. These organizations know that they are high-value targets and take extraordinary measures to protect themselves, and yet they are still successfully attacked and breached despite these best efforts.
If companies that pride themselves on providing the most advanced and sophisticated network security solutions can't protect themselves, how can we they look after us? DigiNotar was so seriously damaged that it went out of businessan unprecedented event in the IT security industry.
The news that VeriSign was compromised should not be a surprise to anyone. Hackers have been targeting and breaching high-value targets like RSA, Comodo, DigiNotar, and now add to the list, VeriSign. These targets are all trusted third-party providers of certificates, services, or secure tokenstechnologies that are extensively used to authenticate and create trusted relationships on the internet and within organizations worldwide. The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped. What we have to do is learn how to anticipate these criminal attacks and prevent them."
A Lucky Strike?
The devastating attack on DigiNotar is testament to the insecurity of certificates. In a not too dissimilar fiasco, hackers broke into DigiNotar's systems and created forged digital certificates in the names of Google and other high-profile targets. The task of cleaning up after this attack was crushingly difficult.
Security experts maintain that cleaning up fraudulently obtained certificates only deals with known attacks. What about other fraudulent certificates that may have slipped by unnoticed? How can organizations be sure others aren't issued in the future?
If a CA is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours.
The problem is this: few organizations have an automated management platform that gives them the power to replace compromised certificates quickly. Instead, replacing known and compromised certificates is largely a manual effort. Organizations are forced to continue operations in a compromised conditionpossibly for many monthswhile they manually replace thousands of compromised certificates. In some cases, continuing operations may not even be an option and entire systems may have to be shut down until the organizations can remediate the problem. And this will only work for certificates they know about in their environments. What about the certificates and keys on the network that know one know about and that are not being tracked, even if only via manual processes. In the meantime, they are vulnerable to further attacks.
What Must Be Done?
The first step organizations must take to protect themselves is to encrypt everythingyes, all of it.
As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella of encryption to cover all data, wherever it moves or resides. For instance:
- Organizations should leverage symmetric keys to encrypt stored data on all systems, including server and end-user platforms and remote storage devices.
- Organizations should use digital certificates and asymmetric and Secure Shell (SSH) encryption keys to encrypt all data flowing between users and applications, as well as data moving between applications. This latter type of communication has become increasingly important in the last few years as cloud computing has turned up the volume on server-to-server transmissions, authentication and processing.
- IT security professionals must attend to resources that reside in public clouds, which require the security of encryption as much asor even more thando internal systems. Given their clear benefits, cloud services have attracted significant attention from both security professionals and criminal organizations, and will continue to command attention as more valuable data moves in their direction.
It doesn't end here. Organizations' next step is to protect themselves by managing all their encryption assetsparticularly encryption keys. Too many make the mistake of relying solely on encryption to protect them, but fail to protect the encryption keys.
Although people regularly crack encryption algorithms at security conferences to earn the accolades of their peers, rarely do people seek exposure this way in the real world. Still, while encryption generally stymies cracking efforts, what was once sacrosanct is now yesterday's lunch to hackers (think RSA SecureID tokens).
When data is protected by securing it with an encryption key, the key becomes the data. Thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly. Using an analogy from the physical world, increasing the size of the lock on your door or business may make you feel more secure, but if you leave the key to the lock under the mat, it doesn't matter how large or strong the lock is, it can easily be opened.
Enterprises need to move past the realization that no CA is infallible and begin to formulate their own compromise-recovery and business-continuity plans.
To protect their encryption keys, and therefore limit access to, and ensure the security of, sensitive data and critical company information, organisations must take the initiative to implement the following best practices:
- Minimize encryption keys' exposure at all points in their lifecyclesfrom enrollment (in the case of certificates' private keys) to deployment to ongoing management.
- Implement strict controls that provide audit trails for access to encryption keys.
- Use different passwords to secure different keystores, and rotate these passwords.
In an environment where future CA compromisesand the inability to trust the certificates CAs issueare foregone conclusions, organisations must encrypt more data and protect their encryption keys with locked-down security policies. Only through rigorously adhering to best practices, implementing a full encryption policy and automating certificate discovery and renewal can they truly say they have done this.
About the Author
Calum MacLeod has over 30 years of expertise in secure networking technologies, and is currently EMEA Director for Venafi, digital certificate and encryption key management specialists. Before joining Venafi, he worked for Tufin and then Cyber-Ark. He has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.