Why hackers are targeting CAs - and what you can do about it
Venafi: CAs are not wholly to blame for certificate-based attacks
Probably the most disturbing data breaches of 2011 involved security companies themselves coming under determined and sustained attacks. RSA and DigiNotar both fell victim to hackers, sending shockwaves through the security community.
Only weeks into the new year, we have had the belated announcement that VeriSign – another trusted third-party certificate authority (CA) – was hacked and had data breached. These organisations know that they are high-value targets and take extraordinary measures to protect themselves, and yet they are still successfully attacked and breached despite these best efforts.
If companies that pride themselves on providing the most advanced and sophisticated network security solutions can't protect themselves, how can they look after us? DigiNotar was so seriously damaged that it went out of business, an unprecedented event in the IT security industry.
These targets are all trusted third-party providers of certificates, services or secure tokens: technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide. The inescapable conclusion is that these providers will continue to be compromised and the breaches cannot be stopped. What we have to do is learn how to anticipate these criminal attacks.
The devastating attack on DigiNotar is testament to the insecurity of certificates. Hackers broke into DigiNotar's systems and created forged digital certificates in the names of Google and other high-profile targets. The task of cleaning up after this attack was crushingly difficult.
Security experts maintain that cleaning up fraudulently obtained certificates only deals with known attacks. What about other fraudulent certificates that may have slipped by unnoticed? How can organisations be sure others aren't issued in the future?
If a CA is compromised or an encryption algorithm is broken, organisations must be prepared to replace all of their certificates and keys in a matter of hours.
The problem is this: few organisations have an automated management platform that gives them the power to replace compromised certificates quickly. Instead, replacing known and compromised certificates is largely a manual effort. Organisations are forced to continue operations in a compromised condition, possibly for many months, while they manually replace thousands of compromised certificates.
In some cases, continuing operations may not even be an option and entire systems may have to be shut down until the organisations can remediate the problem. This will only work for certificates they know about in their environments, so what about the certificates and keys on the network that no one knows about and that are not being tracked, even if only via manual processes? In the meantime, they are vulnerable to further attacks.
The first step organisations must take to protect themselves is to encrypt everything. As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella of encryption to cover all data, wherever it moves or resides. For instance: organisations should leverage symmetric keys to encrypt stored data on all systems, including server and end-user platforms and remote storage devices.
They should also use digital certificates and asymmetric and Secure Shell (SSH) encryption keys to encrypt all data flowing between users and applications, as well as data moving between applications. This latter type of communication has become increasingly important in the last few years as cloud computing has turned up the volume on server-to-server transmissions, authentication and processing.
IT security professionals must also attend to resources that reside in public clouds, which require the security of encryption as much as internal systems. Given their clear benefits, cloud services have attracted significant attention from both security professionals and criminal organisations and will continue to command attention as more valuable data moves in their direction.
It doesn't end here. Organisations' next step is to protect themselves by managing all their encryption assets, particularly encryption keys. Too many make the mistake of relying solely on encryption to protect them, but fail to protect the keys.
Although people regularly crack encryption algorithms at security conferences to earn the accolades of their peers, rarely do people seek exposure this way in the real world. Still, while encryption generally stymies cracking efforts, what was once sacrosanct is now yesterday's lunch to hackers (think RSA SecureID tokens).
When data is protected by securing it with an encryption key, the key becomes the data, thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly.
Using an analogy from the physical world, increasing the size of the lock on your door or business may make you feel more secure, but if you leave the key to the lock under the mat, it doesn't matter how large or strong the lock is, it can easily be opened.
Enterprises need to move past the realisation that no CA is infallible and begin to formulate their own compromise-recovery and business-continuity plans. To protect their encryption keys and therefore limit access to, and ensure the security of, sensitive data and critical company information, organisations must take the initiative to implement the following best practices:
- Minimise encryption keys' exposure at all points in their lifecycle – from enrollment (in the case of certificates' private keys) to deployment to ongoing management;
- Implement strict controls that provide audit trails for access to encryption keys;
- Use different passwords to secure different keystores and rotate these passwords.
In an environment where future CA compromises and the inability to trust the certificates CAs issue are foregone conclusions, organisations must encrypt more data and protect their encryption keys with locked-down security policies.
Only through rigorously adhering to best practices, implementing a full encryption policy and automating certificate discovery and renewal can they truly say they have done this.
Calum MacLeod is EMEA director of Venafi