5 steps to lock down cryptographic keys, digital certificates

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: Cryptographic keys and digital certificates are used to lock down mission critical webservers, databases and applications. In this ThirdCertainty guest essay, Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at security firm Venafi outlines why these cornerstones may be crumbling.)

By Kevin Bocek, Special for ThirdCertainty

Cryptographic keys and digital certificates s provide the foundation of trust for every app, website, and cloud service today. Yet these keys to the kingdom are consistently being misused and compromised by attackers. Consider news headlines in the past few weeks:

WireLurker, a malware Trojan targeting Apple iOS, revolves around the attackers compromising the keys and certificates used to authenticate apps deployed through an iOS enterprise app store. By spoofing the keys and certificates, the bad guys were able to load malware onto non-jail broken Apple iPhones and iPads.

More: 3 steps for figuring out if your business is secure

Meanwhile, the Community Health Systems data breach demonstrated how exploiting the Heartbleed flaw in OpenSSL cryptography libraries is not a theoretical scenario. Recent University of Maryland research found that 87% of Heartbleed-vulnerable certificates were not properly remediated. Organizations remain vulnerable and attackers will choose when and where to use their exploits, in CHS’ case stealing 4.5 million patient records from 206 hospitals.

Kevin Bocek
Kevin Bocek

And misused digital certificates drove the DarkHotel attack detailed in a recent report from Kaspersky. The attackers targeted traveling executives using hotel Wi-Fi networks. The execs believed they were transmitting data privately, in an authenticated way. The attackers used compromised certificates to get in between the unsuspecting executives and their home offices

These disclosures and revelations add up to a serious wake-up call for the information security industry.

Over the last month I’ve met with CISOs from Berlin to Sydney. The message is the same: the threatscape has changed and the risk posed by the misuse of keys and certificates is very high. Security operations teams need to wake up and realize the root of the problem: you simply can no longer blindly trust certificates.

Protecting keys and certificates from administrator errors, policy violations or malicious intent requires more than traditional certificate management or key life-cycle capabilities. These approaches won’t help identify anomalous or rogue usage of keys and certificates across multiple issuers, systems and applications.

Combatting threats that compromise cyrptographic keys and digital certificates requires automation. Here are five steps to get you there:

  • Find all keys and certificates across networks and cloud services.
  • Establish a baseline of what is trusted to detect anomalous behavior.
  • Enforce policy and secure workflows to prevent misuse.
  • Integrate applications and network appliances that use keys and certificates, including threat detection and SSL decryption systems, conditional access systems and hardware security modules.
  • Remediate automatically—replace the entire key and certificate infrastructure, if necessary, in minutes instead of weeks or months.

Attackers seek trusted status. They know they can get it by misusing keys and certificates. Thus when keys and certificates aren’t properly protected, every single security control can be undermined and circumvented.

More on emerging threats

Corporate use of cloud apps spikes risk of breaches

WordPress emerges as a cybercrime hotbed

Malicious ads pose insidious, elusive threat