Hackers Targeting Certificate Authorities
Probably the most disturbing data breaches of 2011 saw security companies themselves come under determined and sustained attacks. RSA and DigiNotar both fell victim to hackers, sending shockwaves through the security community. And only weeks into the new year we have had the belated announcement that VeriSign – another trusted third-party certificate authority - has been hacked and data breached.
These organizations know that they are high-value targets and take extraordinary measures to protect themselves, and yet they are still successfully attacked and breached despite these best efforts.
If companies that pride themselves on providing the most advanced and sophisticated network security solutions can’t protect themselves, how can we they look after us? DigiNotar was so seriously damaged that it went out of business—an unprecedented event in the IT security industry.
The news that VeriSign was compromised should not be a surprise to anyone. Hackers have been targeting and breaching high-value targets like RSA, Comodo, DigiNotar and now add to the list, VeriSign. These targets are all trusted third-party providers of certificates, services, or secure tokens—technologies that are extensively used to authenticate and create trusted relationships on the internet and within organizations worldwide.
The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped. What we have to do is learn how to anticipate these criminal attacks and prevent them.
A Lucky Strike?
The devastating attack on DigiNotar is testament to the insecurity of certificates. In a not-too-dissimilar fiasco, hackers broke into DigiNotar’s systems and created forged digital certificates in the names of Google and other high-profile targets. The task of cleaning up after this attack was crushingly difficult.
Security experts maintain that cleaning up fraudulently obtained certificates only deals with known attacks. What about other fraudulent certificates that may have slipped by unnoticed? How can organizations be sure others aren’t issued in the future?
If a certificate authority is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours.
The problem is this: few organizations have an automated management platform that gives them the power to replace compromised certificates quickly. Instead, replacing known and compromised certificates is largely a manual effort.
Organizations are forced to continue operations in a compromised condition—possibly for many months — while they manually replace thousands of compromised certificates. In some cases, continuing operations may not even be an option and entire systems may have to be shut down until the organizations can remediate the problem. And this will only work for certificates they know about in their environments.
What about the certificates and keys on the network that that are not being tracked, not even by manual processes? In the meantime, they are vulnerable to further attacks.
What Must Be Done?
The first step organizations must take to protect themselves is to encrypt everything — yes, all of it.
As most companies already encrypt the data they consider most critical, they simply need to expand the protective umbrella of encryption to cover all data, wherever it moves or resides. For instance:
- Organizations should leverage symmetric keys to encrypt stored data on all systems, including server and end-user platforms and remote storage devices.
- Organizations should use digital certificates and asymmetric and Secure Shell encryption keys to encrypt all data flowing between users and applications, as well as data moving between applications. This latter type of communication has become increasingly important in the past few years as cloud computing has turned up the volume on server-to-server transmissions, authentication and processing.
- IT security professionals must attend to resources that reside in public clouds, which require the security of encryption as much as — or even more than — do internal systems. Given their clear benefits, cloud services have attracted significant attention from both security professionals and criminal organizations, and will continue to command attention as more valuable data moves in their direction.
It doesn’t end here. Organizations’ next step is to protect themselves by managing all their encryption assets — particularly encryption keys. Too many make the mistake of relying solely on encryption to protect them, but fail to protect the encryption keys.
Although people regularly crack encryption algorithms at security conferences to earn the accolades of their peers, rarely do people seek exposure this way in the real world. Still, while encryption generally stymies cracking efforts, what was once sacrosanct is now yesterday’s lunch to hackers (think RSA SecureID tokens).
When data is protected by securing it with an encryption key, the key becomes the data. Thus it is now the key that must be protected. If the key is not well managed, the risk of data loss or theft increases significantly.
Using an analogy from the physical world, increasing the size of the lock on your door or business may make you feel more secure, but if you leave the key to the lock under the mat, it doesn’t matter how large or strong the lock is, it can easily be opened.
Enterprises need to move past the realization that no CA is infallible and begin to formulate their own compromise-recovery and business-continuity plans.
To protect their encryption keys, and therefore limit access to, and ensure the security of, sensitive data and critical company information, organizations must take the initiative to implement the following best practices:
- Minimize encryption keys’ exposure at all points in their lifecycles — from enrollment (in the case of certificates’ private keys) to deployment to ongoing management.
- Implement strict controls that provide audit trails for access to encryption keys.
- Use different passwords to secure different keystores, and rotate these passwords.
In an environment where future CA compromises — and the inability to trust the certificates that CAs issue — are foregone conclusions, organizations must encrypt more data and protect their encryption keys with locked-down security policies. Only through rigorously adhering to best practices, implementing a full encryption policy and automating certificate discovery and renewal can they truly say they have done this.