With DigiNotar joining the ranks of Comodo, StartSSL and RSA as a trusted third-party security organisation successfully compromised by hackers, enterprises need to move past the shock and begin formulating their own compromise recovery and business continuity plans.
People have not given much thought to the impact or ramifications of a certificate authority (CA) compromise. This attack against DigiNotar marks 2011’s fourth major breach of a trusted third-party security provider – and both the stakes and the targets are higher than ever.
There will be more breaches of third-party trust providers like this in the future, and additional organisation s and governments agencies will be affected if they don’t take certain steps.
Hackers apparently used the fraudulent certificate to intercept Iranian users’ email, among other items. The attack went undetected by the users because their browsers trusted the DigiNotar certificate. A third-party trust provider represents an extremely high value target for hackers.
Once an attacker can access and steal trust credentials, they can commit various cyber-criminal acts in pursuit of their own nefarious agenda.
SSL and PKI remain solid and reliable technologies. That does not mean that enterprises can relax. They need to be aware that any individual third-party trust provider, like a CA, can be compromised and is therefore a known risk. And known risks require solid, well-conceived contingency plans.
Mozilla, Google, and others have implemented browser updates that will revoke trust in DigiNotar-signed certificates, which will safeguard users of those browsers, The ripple effects of a hack like this do not stop at the browser.
All enterprises need to look at their highest-value assets—servers and applications where sensitive and regulated data flows, and that are protected by certificates. Plans must be in place to recover anytime the trust provider is compromised.
There are three very specific steps organisation s must take to deal with a compromised CA. First, they must use multiple CAs so that if one is compromised, the other non-compromised CA and its issued certificates and keys are available for continued use.
Most companies know better than to put all of their eggs in the same basket. This is a well understood principle of business continuity and disaster recovery – always have a backup resource available. Our experience is that most everyone follows this practice today.
Second, organisation s must have an accounting of all the CAs that they use as third party trust providers. Third, they must have a complete inventory of the owner and location for each certificate in the enterprise. This often numbers in the thousands and even tens of thousands or more in Global 2000 organisations.
And finally, every organisation must have an actionable and comprehensive plan in place to recover from a CA compromise. The time to recover needs to be measured in hours, not weeks or months. Most enterprises have glaring holes in their certificate inventories.
In many cases organisations tell me they have 3,000 certificates installed, for instance, and by the time I’ve fully assessed the situation, the number of certificates and keys ends up being two or three times that number. That many unidentified certificates represents a significant unmanaged and unquantified risk.
Further, few organisations have a management platform in place that gives them the power to replace compromised certificates quickly. Otherwise, the replacement of known, compromised certificates is largely a manual effort.
This forces organisation s to continue operations in a compromised condition – possibly for many months – while the thousands of compromised certificates are manually replaced. In some cases that may not even be an option and entire systems may have to be shut down until remediated.
None of us knows where the next breach will occur, or whether it will occur in a week or three months. Enterprises must ready themselves to respond immediately if they implement the four steps of CA compromise recovery.
The very serious implication is that you better wake up. Get out of denial. Understand that this is a huge issue of business continuity. And don’t think yow won’t be compromised, because you will.