5 steps to lock down cryptographic keys, digital certificates

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: Cryp­to­graph­ic keys and dig­i­tal cer­tifi­cates are used to lock down mis­sion crit­i­cal web­servers, data­bas­es and appli­ca­tions. In this Third­Cer­tain­ty guest essay, Kevin Bocek, Vice Pres­i­dent of Secu­ri­ty Strat­e­gy & Threat Intel­li­gence at secu­ri­ty firm Venafi out­lines why these cor­ner­stones may be crumbling.)

By Kevin Bocek, Spe­cial for ThirdCertainty

Cryp­to­graph­ic keys and dig­i­tal cer­tifi­cates s pro­vide the foun­da­tion of trust for every app, web­site, and cloud ser­vice today. Yet these keys to the king­dom are con­sis­tent­ly being mis­used and com­pro­mised by attack­ers. Con­sid­er news head­lines in the past few weeks:

Wire­Lurk­er, a mal­ware Tro­jan tar­get­ing Apple iOS, revolves around the attack­ers com­pro­mis­ing the keys and cer­tifi­cates used to authen­ti­cate apps deployed through an iOS enter­prise app store. By spoof­ing the keys and cer­tifi­cates, the bad guys were able to load mal­ware onto non-jail bro­ken Apple iPhones and iPads.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

Mean­while, the Com­mu­ni­ty Health Sys­tems data breach demon­strat­ed how exploit­ing the Heart­bleed flaw in OpenSSL cryp­tog­ra­phy libraries is not a the­o­ret­i­cal sce­nario. Recent Uni­ver­si­ty of Mary­land research found that 87% of Heart­bleed-vul­ner­a­ble cer­tifi­cates were not prop­er­ly reme­di­at­ed. Orga­ni­za­tions remain vul­ner­a­ble and attack­ers will choose when and where to use their exploits, in CHS’ case steal­ing 4.5 mil­lion patient records from 206 hospitals.

Kevin Bocek
Kevin Bocek

And mis­used dig­i­tal cer­tifi­cates drove the Dark­Ho­tel attack detailed in a recent report from Kasper­sky. The attack­ers tar­get­ed trav­el­ing exec­u­tives using hotel Wi-Fi net­works. The execs believed they were trans­mit­ting data pri­vate­ly, in an authen­ti­cat­ed way. The attack­ers used com­pro­mised cer­tifi­cates to get in between the unsus­pect­ing exec­u­tives and their home offices

These dis­clo­sures and rev­e­la­tions add up to a seri­ous wake-up call for the infor­ma­tion secu­ri­ty industry.

Over the last month I’ve met with CISOs from Berlin to Syd­ney. The mes­sage is the same: the threatscape has changed and the risk posed by the mis­use of keys and cer­tifi­cates is very high. Secu­ri­ty oper­a­tions teams need to wake up and real­ize the root of the prob­lem: you sim­ply can no longer blind­ly trust certificates.

Pro­tect­ing keys and cer­tifi­cates from admin­is­tra­tor errors, pol­i­cy vio­la­tions or mali­cious intent requires more than tra­di­tion­al cer­tifi­cate man­age­ment or key life-cycle capa­bil­i­ties. These approach­es won’t help iden­ti­fy anom­alous or rogue usage of keys and cer­tifi­cates across mul­ti­ple issuers, sys­tems and applications.

Com­bat­ting threats that com­pro­mise cyrp­to­graph­ic keys and dig­i­tal cer­tifi­cates requires automa­tion. Here are five steps to get you there:

  • Find all keys and cer­tifi­cates across net­works and cloud services.
  • Estab­lish a base­line of what is trust­ed to detect anom­alous behavior.
  • Enforce pol­i­cy and secure work­flows to pre­vent misuse.
  • Inte­grate appli­ca­tions and net­work appli­ances that use keys and cer­tifi­cates, includ­ing threat detec­tion and SSL decryp­tion sys­tems, con­di­tion­al access sys­tems and hard­ware secu­ri­ty modules.
  • Reme­di­ate automatically—replace the entire key and cer­tifi­cate infra­struc­ture, if nec­es­sary, in min­utes instead of weeks or months.

Attack­ers seek trust­ed sta­tus. They know they can get it by mis­us­ing keys and cer­tifi­cates. Thus when keys and cer­tifi­cates aren’t prop­er­ly pro­tect­ed, every sin­gle secu­ri­ty con­trol can be under­mined and circumvented.

More on emerg­ing threats

Cor­po­rate use of cloud apps spikes risk of breaches

Word­Press emerges as a cyber­crime hotbed

Mali­cious ads pose insid­i­ous, elu­sive threat

Posted in Cybersecurity, Data Security, Guest Essays