Certificate Authorities (CAs) are still allowing themselves to fall victim to hackers despite a fundamentally catastrophic effects which a compromised CA can produce. Even after the DigiNotar disaster recent research shows that CA is still being compromised regularly. As there are more than 650 CAs trusted by commercial browsers, it only takes one of them to be compromised for hundreds of thousands of websites to be potentially under attack.
It is unfortunately the case, that with 650 CAs able to issue certificates the probability is that at least some of them will, even after DigiNotar and Comodo, still not properly secure the infrastructure allowing the relentless hackers a way in.
Access, an international non-governmental organisation (NGO) and digital rights advocate maintains: “If a single one of the 650 public certificate authorities (CAs) that your systems support, by default, is compromised the entire system is compromised – so keeping 100% of the CAs at 100% compliance and 100% impervious from zero-day attacks is a very hard problem indeed.” I’d add, especially when you don’t control them!
As breaches have tragically become a regular occurrence, the different incidents seem to be turning into a blur as they add up. What might be shocking then is that the reality is most breaches actually go unnoticed, and even unreported, because many believe that these breaches are not considered newsworthy. According to the Electronic Frontier Foundation, public CAs are revoking approximately 50,000 certificates a month – this is nothing short of criminal.
It is astonishing that in these days of heightened security, when the Olympic games is protected by massive security, tweeting too light-heartedly about security can get you locked up and air travel has almost ground to a halt because of security – some CAs are as well protected as cheese on a mousetrap.
Preparing and responding for a CA breach has to be a priority for every organisation. However, no one said it’s going to be easy. With several recent breaches, I believe it is important to learn and apply some practical lessons.
Filtering out the ‘Noise’
So what lessons, if any, can we learn and apply to the challenges we face from cyber-terrorism?
1. Too much information
We all suffer from information overload. Many of us add to this deluge by subscribing to news-feeds, twitter, and various other information sources that effectively drown us in words. In addition we all receive “junk mail” from a variety of sources. And many of us – myself included – regularly contribute to the “essential reading” that you receive. The problem is, amongst all this ‘noise’, is hidden a vital piece of information. Take the time to at least skim messages instead of just deleting them. You never know what might catch your eye, and give you an early warning!
2. There are bigger problems
The problem with a ‘to do’ list is that it’s never, or very rarely, finished. Sound familiar? However, with many people feeding into fix lists it’s always easier to deal with the person shouting the loudest while someone who isn’t clamouring for attention, but could have the bigger issue, gets forgotten. Another common problem is the person prioritizing the items doesn’t fully understand the implications of the risks.
For example, those responsible for PKI and security have at best an “arm’s length” relationship with their IT colleagues, and as a result have little or no appreciation for the challenges that IT face. On the other had IT regards security teams with suspicion, and often are preoccupied with the suspicion that security just wants to take over responsibility. This requires action by senior management at the CIO, CSO, CFO, CTO level to ensure that different groups cooperate rather than compete.
3. Management need to be kept aware and take responsibility
‘Buck passing’ is a frequent past-time in many organisations, especially if someone isn’t willing to stand up and take responsibility – or feel that they can. All too often the security team does not feel empowered to bring information to the management’s attention, or no mechanism exists to inform the CIO of risks that might affect the business. On the other hand CIOs are frequently more concerned about not spending money, and keeping the board happy, than giving their “troops” the support and resources they need. If this sounds familiar then perhaps it’s time it didn’t.
4. Pay attention and act on new clues, regardless of the source
In the IT industry there is not a day that goes by when we are not being alerted about yet another risk. However it is questionable how seriously organisations take alerts that may relate to Iranian nuclear facilities, or breaches of databases in Japan, etc. Just because you may not have used Diginotar certificates, or Digicert Malaysia was not on your list of preferred suppliers, does not mean that you’re not the next victim. Every single Windows device has been affected by Flame and no one saw that coming!
5. Denial and retribution
Bottom line is somebody has to pay, and when your business’ reputation and earnings are affected by severe failure in your IT infrastructure, then someone will pay. Corporate senior management expect that those who are paid to fulfil a specialist role can do so effectively. There are not many CSOs or IT Security Directors who can expect to survive a digital certificate compromise or a certificate authority (CA) compromise on the basis of “there were no warning signs”!
6. You never know when it will hit you
Just like a boy scout – you need to be prepared. If you wake up tomorrow and discover that your internal and/or external CA had been completely compromised, would you have a clear action plan. Likely not, and I’m sure that should you get the opportunity to be in a similar position in your next organisation that you’d be better prepared the next time around!
7. Get serious about the risk
Your infrastructure security is under attack, and your keys, certificates and CAs are a primary target. Those attacking you understand that you have ignored this area, and that enterprise key and certificate management has generally been forgotten about. Your enemy is exploiting your ignorance, and unless you get control of your CAs, they will get you.
What many organisations are still ignoring is that keys and certificates are the very foundation of secure systems — therefore a CA compromise will have dramatic effects. The reason these dramatic effects have taken place is because hackers have woken up to how they can use compromise certificates, from badly run CAs, to carry out major data breaches.
The litany of recent attacks such as Flame, Stuxnet and Duqu have surely displayed that CA compromises are now a strategic tool in the hackers swag bag. There is no point securing the perimeter of your defences if the hacker can use a stolen certificate to swoop through them, gaining access to all of your organisation’s secrets — you need to understand the risks, put processes in place and educate all of your staff to be prepared for and how to respond to a CA compromise. Otherwise the only noise you will hear is the closing of the door behind you and your organisation decides it cannot risk employing you for any longer.