- Security TWENTY
- Women in Security Awards
Why are the hackers targeting certificate authorities and what can you do about it? Many are looking for where the biggest opportunities for hackers will lie. We all know history has a habit of repeating itself so, with the sweet smell of success still in their nostrils, it is a fair assumption that the black hats will stick to what they’ve proven works. What we need to do is change what we’re doing to stop them. Calum MacLeod, EMEA Director, Venafi, examines 2011’s most disturbing IT security development, how certificate authority (CA) third-party trust providers have become the hacker target of choice. He details how it’s happened and what we have to do to ensure we keep the bad guys out.
Probably the most disturbing data breaches of 2011 saw security companies themselves come under determined and sustained attacks. RSA and DigiNotar all fell victim to hackers, sending shockwaves through the security community. And only weeks into the new year we have had the belated announcement that VeriSign – another trusted third-party certificate authority – has been hacked and data breached. These organisations know that they are high-value targets and take extraordinary measures to protect themselves, and yet they are still successfully attacked and breached despite these best efforts.
If companies that pride themselves on providing the most advanced and sophisticated network security solutions can’t protect themselves, how can we they look after us? DigiNotar was so seriously damaged that it went out of business—an unprecedented event in the IT security industry.
The news that VeriSign was compromised should not be a surprise to anyone. Hackers have been targeting and breaching high-value targets like RSA, Comodo, DigiNotar, and now add to the list, VeriSign. These targets are all trusted third-party providers of certificates, services, or secure tokens—technologies that are extensively used to authenticate and create trusted relationships on the internet and within organizations worldwide. The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped. What we have to do is learn how to anticipate these criminal attacks and prevent them.”
A Lucky Strike?
The devastating attack on DigiNotar is testament to the insecurity of certificates. In a not too dissimilar fiasco, hackers broke into DigiNotar’s systems and created forged digital certificates in the names of Google and other high-profile targets. The task of cleaning up after this attack was crushingly difficult.
Security experts maintain that cleaning up fraudulently obtained certificates only deals with known attacks. What about other fraudulent certificates that may have slipped by unnoticed? How can organisations be sure others aren’t issued in the future?
If a CA is compromised or an encryption algorithm is broken, organisations must be prepared to replace all of their certificates and keys in a matter of hours.
The problem is this: few organisations have an automated management platform that gives them the power to replace compromised certificates quickly. Instead, replacing known and compromised certificates is largely a manual effort. Organisations are forced to continue operations in a compromised condition—possibly for many months—while they manually replace thousands of compromised certificates. In some cases, continuing operations may not even be an option and entire systems may have to be shut down until the organisations can remediate the problem. And this will only work for certificates they know about in their environments. What about the certificates and keys on the network that know one know about and that are not being tracked, even if only via manual processes. In the meantime, they are vulnerable to further attacks.
What Must Be Done?
The first step organisations must take to protect themselves is to encrypt everything—yes, all of it.
As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella of encryption to cover all data, wherever it moves or resides. For instance:
It doesn’t end here. Organisations’ next step is to protect themselves by managing all their encryption assets—particularly encryption keys. Too many make the mistake of relying solely on encryption to protect them, but fail to protect the encryption keys.
Although people regularly crack encryption algorithms at security conferences to earn the accolades of their peers, rarely do people seek exposure this way in the real world. Still, while encryption generally stymies cracking efforts, what was once sacrosanct is now yesterday’s lunch to hackers (think RSA SecureID tokens).
When data is protected by securing it with an encryption key, the key becomes the data. Thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly. Using an analogy from the physical world, increasing the size of the lock on your door or business may make you feel more secure, but if you leave the key to the lock under the mat, it doesn’t matter how large or strong the lock is, it can easily be opened.
Enterprises need to move past the realisation that no CA is infallible and begin to formulate their own compromise-recovery and business-continuity plans.
To protect their encryption keys, and therefore limit access to, and ensure the security of, sensitive data and critical company information, organisations must take the initiative to implement the following best practices:
In an environment where future CA compromises—and the inability to trust the certificates CAs issue—are foregone conclusions, organisations must encrypt more data and protect their encryption keys with locked-down security policies. Only through rigorously adhering to best practices, implementing a full encryption policy and automating certificate discovery and renewal can they truly say they have done this.