It has taken some time but we finally have succumbed to thedelights of a certain kitchen utensil. Years of resisting George,John and the seductive talents of Penelope, had left me moredetermined than ever to resist at all costs. The result; a plethoraof appliances – eight at last count – to produce the perfect cup ofcoffee at the right moment, cluttering kitchen surfaces andcupboards, and never quite getting it right. After all, eachappliance needs and produces its own unique type of coffee. And it's difficult, when you're the only serious coffeedrinker, to convince 'management' at home that such a thing as aCCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates.Look around any mid- to large-size organization and you will findSSL, SSH and Symmetric keys and digital certificates scatteredaround – and each type will also have several variants. Then thereare all the different “utensils” which use the keys, fromapplications to a myriad of appliances, as well as a host ofbuilt-in “tools” to manage each variety. The result is moremanagement systems than the average household's coffeemachines.

Today SSL and SSH keys and certificates are found litteredacross virtually all systems, applications and end-user computingdevices. In most cases no one knows who caused theever-proliferating and expanding landscape of encryption “litter,”and since these keys and certificates are used to protect criticalsystems and sensitive data, ineffective and siloed management meansthat organizations are increasingly susceptible to failed audits,security risks, unexpected systems outages, compromises to systemsapplications and most importantly, critical data. Of course, eachof these comes with its own costly financial and reputationalconsequences.

The Dark Side

And just as I'm told that there's a dark side to my caffeineaddiction, there is a definite dark side to the unmanaged andunquantified encryption keys and certificates that we've become sodependent on – which now act as the infrastructure backbone of allonline trust and security. Today as never before, everyone fromgovernments to private individuals is under attack. The use ofmalware for criminal, ideological and political aims is growing atan alarming rate.

Stuxnet opened Pandora's Box when the use of valid, stolen SSLcertificates as a means to authenticate the malware and allow it toremain hidden and undetected became common knowledge. Since thenthere has been an explosion of malware using digitally signedcertificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question thathas to be asked is whether or not there is anything we can do toprotect our infrastructure, enterprises and ourselves.

|

I believe the reality is that we are responsible in largepart for the ease with which cyber-terrorists, regardless of theirideology or motivation, are attacking us. In effect, we aresupplying the weapons that are being used against us. Thecollective failure of enterprises to protect keys and certificatesis resulting in these very keys and certificates being used againstus.

The Flame attack for example, which masqueraded as a Windowsupdate, was successful because of Microsoft's continued use of MD5algorithms, years after they themselves had identified that theywere compromised. A surprisingly small amount of money needed to bespent to create a duplicate certificate.

Shaboom, which attacked Aramco and RasGas, leveraged acertificate stolen from a company called Eldos and issued byGlobalsign. The fact that it was issued by Globalsign is not theproblem; the problem is that the key and certificate werereportedly stolen from Eldos. And it goes on and on.Cyber-terrorists are literally helping themselves to keys andcertificates from global business because they know that no onemanages them. When organizations don't ensure proper controls overtrust, business stops. End of story.

So the first step in defending ourselves is to protect our keyand certificate arsenal. Having effective management so that accessto any key or certificate is controlled is a first step in ensuringthat you don't become the next unsuspecting collaborator. And thatmanagement has to be unbiased, universal and independent if it'sgoing to work – not caring who issues the encryption or in whatdepartmental silos it resides (one cannot be both the issuer andmanager of encryption simultaneously—too many inerrant conflicts ofinterest).

Secondly, enterprises are not responding to the attacks. Thereis massive investment in perimeter security but when we are toldrepeatedly that the threat is as much from within as outside, weneed to act.

Can we still protect critical infrastructure from attack in thedigital age?

If malware is the cyber-terrorist weapon of the 21^stcentury, then organizations need to reduce the risk as much aspossible. At last count there are in excess of 1,500 Trusted ThirdParties who issue certificates globally. Many of these are in everysystem in the infrastructure, and the result is that if a systemtrusts the issuer, it will by default trust the “messenger,” inthis case malware.

So like your firewall in the 20th century, which you used toreduce the access points through your perimeter, effectivemanagement of trusted issuers and instruments similarly reducesyour risk of malware infection. If a system doesn't know theissuer, it's not going to trust the messenger. So although you cannever completely remove the risk because you have to trust somepeople, you will significantly reduce the number of possibleattacks.

But this requires the determination of an organization to takesteps to protect itself. The management of trust stores in everysystem becomes an absolute necessity in the fight againstcyber-terrorism, regardless of what group, enterprise, or nationstate is behind it

According to U.S. Defense Secretary Leon Panetta, the Pentagonand American intelligence agencies are seeing an increase in cyberthreats that could have devastating consequences if they aren'tstopped. “A cyber-attack perpetrated by nation states or violentextremist groups could be as destructive as the terrorist attack of9/11. Such a destructive cyber terrorist attack could paralyze thenation,” he said.

The question is: when will start to see individuals andorganisations being held culpable for these attacks? In thecyber-terrorism war, it is a big business selling valid SSLcertificates, whether stolen, lost or sold, to “terrorists” – andit is likely to play a significant part of a major incident, andignorance will not be a defense!

So my advice is, as George Orwell wrote in 1984 – “If you want to keep a secret, you must also hide it fromyourself.”

Calum MacLeod is EMEA director for Venafi, a Sandy,Utah-based provider of digital certificate and encryption keymanagement services.