This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Why hackers are targeting CAs - and what you can do about it

Share this article:
Venafi: CAs are not wholly to blame for certificate-based attacks
Venafi: CAs are not wholly to blame for certificate-based attacks

Probably the most disturbing data breaches of 2011 involved security companies themselves coming under determined and sustained attacks. RSA and DigiNotar both fell victim to hackers, sending shockwaves through the security community.

Only weeks into the new year, we have had the belated announcement that VeriSign – another trusted third-party certificate authority (CA) – was hacked and had data breached. These organisations know that they are high-value targets and take extraordinary measures to protect themselves, and yet they are still successfully attacked and breached despite these best efforts.

If companies that pride themselves on providing the most advanced and sophisticated network security solutions can't protect themselves, how can they look after us? DigiNotar was so seriously damaged that it went out of business, an unprecedented event in the IT security industry.

These targets are all trusted third-party providers of certificates, services or secure tokens: technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide. The inescapable conclusion is that these providers will continue to be compromised and the breaches cannot be stopped. What we have to do is learn how to anticipate these criminal attacks.

The devastating attack on DigiNotar is testament to the insecurity of certificates. Hackers broke into DigiNotar's systems and created forged digital certificates in the names of Google and other high-profile targets. The task of cleaning up after this attack was crushingly difficult.

Security experts maintain that cleaning up fraudulently obtained certificates only deals with known attacks. What about other fraudulent certificates that may have slipped by unnoticed? How can organisations be sure others aren't issued in the future?

If a CA is compromised or an encryption algorithm is broken, organisations must be prepared to replace all of their certificates and keys in a matter of hours.

The problem is this: few organisations have an automated management platform that gives them the power to replace compromised certificates quickly. Instead, replacing known and compromised certificates is largely a manual effort. Organisations are forced to continue operations in a compromised condition, possibly for many months, while they manually replace thousands of compromised certificates.

In some cases, continuing operations may not even be an option and entire systems may have to be shut down until the organisations can remediate the problem. This will only work for certificates they know about in their environments, so what about the certificates and keys on the network that no one knows about and that are not being tracked, even if only via manual processes? In the meantime, they are vulnerable to further attacks.

The first step organisations must take to protect themselves is to encrypt everything. As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella of encryption to cover all data, wherever it moves or resides. For instance: organisations should leverage symmetric keys to encrypt stored data on all systems, including server and end-user platforms and remote storage devices.

They should also use digital certificates and asymmetric and Secure Shell (SSH) encryption keys to encrypt all data flowing between users and applications, as well as data moving between applications. This latter type of communication has become increasingly important in the last few years as cloud computing has turned up the volume on server-to-server transmissions, authentication and processing.

IT security professionals must also attend to resources that reside in public clouds, which require the security of encryption as much as internal systems. Given their clear benefits, cloud services have attracted significant attention from both security professionals and criminal organisations and will continue to command attention as more valuable data moves in their direction.

It doesn't end here. Organisations' next step is to protect themselves by managing all their encryption assets, particularly encryption keys. Too many make the mistake of relying solely on encryption to protect them, but fail to protect the keys.

Although people regularly crack encryption algorithms at security conferences to earn the accolades of their peers, rarely do people seek exposure this way in the real world. Still, while encryption generally stymies cracking efforts, what was once sacrosanct is now yesterday's lunch to hackers (think RSA SecureID tokens).

When data is protected by securing it with an encryption key, the key becomes the data, thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly.

Using an analogy from the physical world, increasing the size of the lock on your door or business may make you feel more secure, but if you leave the key to the lock under the mat, it doesn't matter how large or strong the lock is, it can easily be opened.

Enterprises need to move past the realisation that no CA is infallible and begin to formulate their own compromise-recovery and business-continuity plans. To protect their encryption keys and therefore limit access to, and ensure the security of, sensitive data and critical company information, organisations must take the initiative to implement the following best practices:

  • Minimise encryption keys' exposure at all points in their lifecycle – from enrollment (in the case of certificates' private keys) to deployment to ongoing management;
  • Implement strict controls that provide audit trails for access to encryption keys;
  • Use different passwords to secure different keystores and rotate these passwords.

In an environment where future CA compromises and the inability to trust the certificates CAs issue are foregone conclusions, organisations must encrypt more data and protect their encryption keys with locked-down security policies.

Only through rigorously adhering to best practices, implementing a full encryption policy and automating certificate discovery and renewal can they truly say they have done this.

Calum MacLeod is EMEA director of Venafi

Share this article:
close

Next Article in Opinion

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

How do you stop an Energetic Bear?

How do you stop an Energetic Bear?

Companies must think like a hacker and commit to penetration testing to protect themselves from data breaches, says Chema Alonso.

Is your app secure? Probably not

Is your app secure? Probably not

App vulnerabilities need to be thought about holistically, so the network and database in which they reside also need to be considered says Josh Shaul.

All your vulnerabilities belong to us: The rise of the exploit

All your vulnerabilities belong to us: The rise ...

The growing impact of web exploits isn't just limited to the enterprise market and must be countered on an industry-scale, says Pedro Bustamante.